Cybersecurity Radar — 2026-05-12

🔴 Critical Alerts

Ongoing Ransomware Surge — 2,122 Q1 2026 Victims Confirmed Check Point Research's State of Ransomware Q1 2026 report, published within the last 24 hours, documents 2,122 new victims listed on more than 70 active data leak sites. While this represents a 12.2% decline from Q4 2025's all-time record of 2,416 victims, the figure remains historically elevated. Critically, 71% of victims are tied to the top 10 ransomware groups — a sign of dangerous consolidation. Affected sectors span manufacturing, healthcare, government, and professional services globally. Recommended action: Prioritize endpoint detection, offline backups, and network segmentation now.

Ransomware Underreporting Crisis — Only 1 in 10 Attacks Disclosed A report covered by Cybersecurity Dive (published within the coverage window) reveals that the number of disclosed ransomware incidents tracked by BlackFog in Q1 2026 was roughly one-tenth of undisclosed incidents. This means organizations are absorbing attacks silently — making threat intelligence dramatically incomplete. Recommended action: Security teams should not rely solely on public incident data; assume attack rates are 10× what is publicly reported and increase proactive threat hunting accordingly.

Threat Landscape

Qilin, The Gentlemen, and LockBit Lead Ransomware Consolidation Check Point Research's Q1 2026 ransomware report (published 19 hours ago) identifies Qilin, The Gentlemen, and LockBit as the top three ransomware groups by victim count. The consolidation of 71% of all victims under 10 groups signals a maturation of the ransomware-as-a-service ecosystem, with elite operators absorbing affiliates and capabilities from defunct groups. TTPs increasingly favor data exfiltration over disruptive encryption, allowing attackers to extract leverage without triggering immediate incident response. Manufacturing, healthcare, and legal sectors remain primary targets.

ShinyHunters' Multi-Stage Assault on Instructure Canvas Resurfaces in New Context According to Krebs on Security (published 5 days ago, within coverage context), the May 2026 Canvas breach — in which ShinyHunters claimed 275 million user records — is now understood as "the planned escalation of an attack pattern" that began at least eight months prior. A Penn-specific incident previously treated as isolated has been reframed as part of the same extended intrusion campaign against Instructure's environment. TTPs suggest patient, multi-wave data collection targeting educational platforms and their sensitive student PII repositories.

AI-Assisted Supply Chain Poisoning — Typosquatted OpenAI Package Delivers Infostealer The Hacker News homepage (updated 12 hours ago) highlights a newly disclosed supply chain attack in which a malicious repository typosquatted OpenAI's legitimate "Privacy Filter" package. The attacker copied the model card nearly verbatim and shipped a loader.py file designed to fetch and execute infostealer malware. This attack targets developers integrating AI tools and demonstrates how AI ecosystem trust is being weaponized. Separately, a critical vulnerability in Ollama — allowing remote unauthenticated attackers to leak the entire process memory — has also been disclosed on the same page.

1 sources

blog.checkpoint.com

blog.checkpoint.com

Vulnerabilities & Patches

Dirty Frag — Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Tenable's FAQ, published 4 days ago, details "Dirty Frag," a Linux kernel privilege escalation exploit chain with a public proof-of-concept. Both CVEs affect major Linux distributions. The embargo was broken prematurely, forcing administrators to respond without a complete patch available. Forbes coverage confirmed this is an active zero-day giving attackers root access. Recommended action: Apply available kernel mitigations and workarounds immediately; monitor Tenable and distro-specific security advisories for patch availability.

Ivanti EPMM Zero-Day (CVE-2026-6973) — High-Severity RCE Exploited in Targeted Attacks Ivanti patched a high-severity vulnerability in its Enterprise Mobility Management solution (EPMM) — CVE-2026-6973 — which allows an attacker with admin privileges to execute arbitrary code. SecurityWeek and Help Net Security (4 days ago) confirmed the flaw was actively exploited in targeted attacks before the patch was released. EPMM is widely deployed in enterprise MDM environments, including government and financial sectors. Recommended action: Apply Ivanti's patch for CVE-2026-6973 immediately; audit admin account access and review EPMM deployment exposure.

Critical Ollama Memory Leak — Remote Unauthenticated Attacker Vector The Hacker News (updated 12 hours ago) reports disclosure of a critical vulnerability in Ollama — the popular local LLM runtime — that allows a remote, unauthenticated attacker to leak the entire process memory. This is particularly dangerous given Ollama's use in enterprise AI deployments that may process sensitive documents and credentials. No CVE or patch details are available yet from this source. Recommended action: Restrict Ollama API exposure; do not expose Ollama instances to the public internet until a patch is confirmed.

Breaches & Incidents

Canvas/Instructure Breach — 275 Million Student Records Claimed by ShinyHunters Malwarebytes reported (6 days ago) that ShinyHunters claimed to have stolen personal data from 275 million users of Instructure's Canvas learning management platform, used across schools and higher education institutions globally. The breach disrupted academic operations during finals week. According to Krebs on Security, this was not an isolated event but the culmination of a multi-month intrusion campaign. Student PII — including names, email addresses, and institutional identifiers — is believed to be in the stolen dataset. Instructure's response status remains ongoing.

Ransomware Underreporting — Systemic Concealment of Incidents BlackFog's Q1 2026 analysis, as reported by Cybersecurity Dive, found that the number of undisclosed ransomware incidents dwarfs publicly known cases by approximately 10:1. This systematic concealment distorts threat intelligence, regulatory reporting frameworks, and insurance risk calculations. No single high-profile incident is identified, but the pattern represents an industry-wide breach response crisis affecting organizations across all sectors.

1 sources

malwarebytes.com

malwarebytes.com

Industry & Policy

CSIS Significant Cyber Incidents Timeline — Updated Within 24 Hours The Center for Strategic and International Studies (CSIS) Significant Cyber Incidents tracker was updated 1 day ago. The living document, which focuses on state actions, espionage, and attacks with losses exceeding $1 million, reflects continued escalation in nation-state cyber activity. Organizations tracking geopolitical cyber risk should monitor this resource for the latest additions.

Ransomware Groups Increasingly Operating with Nation-State Overlap According to SecurityWeek's Cyber Insights 2026 analysis (published February 2026, cited here for contextual framing of current Q1 findings), the line between ransomware gangs and nation-state actors continues to dissolve. Kiteworks VP Dario Perfettibile noted that "ransomware gangs operating with state approval can simultaneously pursue profit and geopolitical objectives," specifically citing Russian groups targeting defense contractors. This framing is increasingly validated by the Q1 2026 consolidation data from Check Point Research, where a handful of elite groups command the majority of activity.

AI Supply Chain Attacks Emerge as Critical 2026 Threat Vector The Hacker News homepage (12 hours ago) highlights a new category of AI-assisted and AI-targeted attacks — including typosquatted AI packages designed to deliver infostealers to developers. This follows broader 2026 trends of attackers targeting the AI toolchain as an attack surface, exploiting developer trust in AI-branded repositories. Expect regulatory and vendor guidance on AI package integrity to accelerate in coming months.

What to Watch

• Dirty Frag patch timeline: No full patch is yet available for CVE-2026-43284 / CVE-2026-43500. Linux admins should monitor kernel security mailing lists and distro advisories daily — a patch release could come any day and will require rapid deployment.
• Ransomware Q2 escalation risk: With 71% of victims now concentrated under 10 groups, a takedown or destabilization of any top-tier group (similar to LockBit disruptions in prior years) could trigger affiliate reshuffling and a temporary spike in opportunistic attacks.
• AI ecosystem supply chain targeting: The typosquatted OpenAI package attack signals a growing pattern — expect more AI-branded malicious packages across PyPI, npm, and Hugging Face. Organizations integrating AI tooling should implement package integrity verification policies immediately.

Reader Action Items

1. Patch Ivanti EPMM now: CVE-2026-6973 is actively exploited in targeted attacks. If your organization uses Ivanti EPMM for mobile device management, apply the available patch immediately and audit administrator accounts for unauthorized access or privilege escalation.

2. Mitigate Dirty Frag on Linux systems: Apply all available kernel hardening mitigations for CVE-2026-43284 and CVE-2026-43500. Restrict local user privileges on sensitive Linux hosts, disable unnecessary local access vectors, and monitor Tenable and your Linux distribution's security advisory feed for patch availability.

3. Audit AI development toolchains: Given the newly disclosed typosquatted OpenAI package attack, review all AI/ML dependencies used by your development teams. Verify package hashes against official sources, enable dependency scanning in CI/CD pipelines, and restrict developer ability to install unvetted packages from public repositories.