Security & IT News

More than 200 individuals were arrested for cybercrime activities during INTERPOL's Operation Ramz, which focused on the Middle East and North Africa. [...]

A new variant of the 'SHub' macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor. [...]

Until this past weekend, a contractor for the Cybersecurity Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history. On May 15, KrebsOnSecurity heard from Guillaume Valadon , a researcher with the security firm GitGuardian . Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive. A redacted screenshot of the now-defunct “Private CISA” repository maintained by a CISA contractor. The GitHub repository that Valadon flagged was named “ Private-CISA ,” and it harbored a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets. Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories. “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.” One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. According to Caturegli, those system included one called “LZ-DSO,” which appears short for “Landing Zone DevSecOps,” the agency’s secure code development environment. Philippe Caturegli , founder of the security consultancy Seralys , said he tested the AWS keys only to see whether they were still valid and to determine which internal systems the exposed accounts could access. Caturegli said the GitHub account that exposed the CISA secrets exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository. &#822

Modern OSINT platforms rely more on AI and automation, while older social tracking methods keep losing access due to privacy and API restrictions.

Since the last update , the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI. Bottom line up front Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minutes, downloads above 500 million) and was the first documented npm malware shipping with valid SLSA Build Level 3 provenance, plus a 1-in-6 disk-wipe payload on Israeli and Iranian locale hosts. NHS England issued the campaign's first government alert; CISA stayed silent. Action: audit CI for the indicators below, stop trusting provenance alone, pin and lockfile-verify dependencies. How this developed The period opened quiet and derivative: the lead story was PCPJack , a rival worm that evicts TeamPCP before stealing credentials, alongside a single-researcher claim that a Checkmarx Jenkins plugin had been backdoored. Days later it turned loud: Checkmarx officially confirmed that exact Jenkins compromise, and a new Mini Shai-Hulud worm hit the npm and PyPI ecosystems hard. The through-line is escalation: an unconfirmed rumor became a confirmed incident, and the campaign moved from a quiet competitor-eviction story to a high-impact, signed-malware supply chain wave. What changed, by theme Checkmarx Jenkins plugin: an unconfirmed claim, then official confirmation Takeaway: a single-researcher claim, explicitly logged as unconfirmed at the time, was confirmed by Checkmarx four days later. On 2026-05-09, researcher Berk Albayrak reported on X that the Checkmarx Jenkins AST scanner plugin had been backdoored. No Tier 1 outlet, no vendor, and no Checkmarx statement corroborated it at the time, so it was carried as information-only pending confirmation. On 2026-05-11 Checkmarx published an official update acknowledging that a tampered plugin (version 2026.5.09) had been published to the Jenkins Marketplace, with an exposure window of 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC. The Register , BleepingComputer , SecurityWeek , and The Hacker News carried it the same day. This is the third TeamPCP compromise of Checkmarx in three months, and the malicious plugin was installed by several hundred Jenkins controllers. Last known-good build: 2.0.13-829.vc72453fa_1c16 (2025-12-17). Remediated builds (both 2026-05-09): 2.0.13-848.v76e89de8a_053 and 2.0.13-847.v08c0072b_2fd5. The Mini Shai-Hulud TanStack wave Takeaway: a self-spreading worm poisoned roughly 170 npm and PyPI packages, and the publishes came from TanStack's own trusted release pipeline. Starting 2026-05-11 at 19:20 UTC, the worm published 84 malicious artifacts across 42

Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. [...]

The newly discovered Reaper malware bypasses Apple's macOS Tahoe 26.4 security updates to steal passwords, crypto assets, and install a permanent backdoor.

The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend. [...]

INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these

The New York public healthcare system said hackers stole personal and medical data, and scans of biometrics — including fingerprints — in one of the largest recorded breaches of 2026.

AI is rapidly reshaping how work gets done in companies and organizations. In celebrating National Small Business Month, we want to acknowledge the unique challenges that growing business leaders face as AI creates both opportunity and risk. They face constant tradeoffs between moving fast, managing risk, and keeping operations stable under pressure. At the same time, cybercriminals are moving faster, their attacks are becoming more targeted, and AI is helping increase efficacy of the threats. In fact, AI-automated phishing is 4.5 times more effective than traditional cyberattacks. It takes only one convincing phishing email, and one stray click to enable a breach. 1 The key question is: How can we maximize the benefits of AI while staying protected in a rapidly evolving threat landscape? Read the datasheet: “AI is here. How will you keep your business secure?” Cybersecurity—from IT issue to business risk Today’s cybersecurity landscape is defined by speed, scale, and automation—trends that disproportionately affect growing businesses. According to the 2025 Microsoft Digital Defense Report , Microsoft now processes more than 100 trillion security signals every day and blocks 4.5 million new malware files daily , underscoring just how industrialized cybercrime has become. Increasingly, cyberattackers are using AI to automate phishing, generate highly convincing scams, and rapidly adapt malware, making cyberattacks more frequent and harder to detect. For businesses that often lack dedicated security teams or round-the-clock monitoring, this shift has real business consequences: disrupted operations, financial loss from ransomware or fraud, and lasting damage to customer trust. The report also notes that most modern cyberattacks now target identities, like user accounts and access—a challenge for organizations relying on cloud services and remote work without strong protections in place for accounts and access. As AI continues to amplify both the volume and sophistication of cyberattacks, cybersecurity is no longer just an IT issue for businesses—it’s a core business risk that can directly affect resilience and growth. Source: Cyber Signals Issue 9. 2 Building a foundation of trust In this new reality, security becomes the foundation of trust—helping growing businesses protect their operations, preserve customer trust, and move forward with confidence. For business owners, cybersecurity isn’t just about stopping cyberattacks; it’s about keeping the business running day to day. When systems go down, orders can’t be processed, employees can’t do their work, and customers are left waiting or wondering whether their data is safe. Even short disruptions can have outsized consequences for growing businesses, from lost revenue and stalled growth to reputational damage that’s hard to repair. By making security a core part of how the business operates—not an afterthought—even the smallest businesses put themselves in a stronger position to withstand disrupti

Performance reviews inside cybersecurity teams carry unusually high stakes. Security analysts, incident responders, IT administrators, and compliance staff…

Over 200 people were arrested in an anti-cybercrime operation that spanned 13 countries across the Middle East and North Africa

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token. [...]

Government Backed Hackers abused Cloudflare storage services in a Malaysian espionage campaign involving hidden C2 systems and data exfiltration.

The open source project said hackers stole its codebase and threatened to publish its source code if the company did not pay.

New for 2026, the Infosecurity Europe Startup competition will see five finalists pitch their ideas in front of a live audience, including senior industry leaders, investors and buyers

What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,

New York, USA, 18th May 2026, CyberNewswire