Cybersecurity Radar — 2026-05-22
Microsoft has begun rolling out emergency patches for two actively exploited Windows Defender zero-days, while threat actors are brute-forcing SonicWall VPN credentials to deploy ransomware tools. Meanwhile, Unit 42's updated analysis reveals a significant evolution in npm supply chain attack sophistication, including wormable malware and CI/CD persistence techniques — raising alarms across DevSecOps teams.
Cybersecurity Radar — 2026-05-22
🔴 Critical Alerts
Microsoft Defender Zero-Days Under Active Exploitation Microsoft has started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. Both flaws were confirmed as being used in live attack campaigns prior to patching. All organizations running Microsoft Defender should apply updates immediately.
SonicWall Gen6 SSL-VPN Ransomware Attack Chain Threat actors are actively brute-forcing VPN credentials and bypassing multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks, according to BleepingComputer (May 20, 2026). Organizations using SonicWall Gen6 SSL-VPN appliances should immediately audit MFA configurations, rotate credentials, and monitor for unusual authentication activity.
Threat Landscape
npm Supply Chain Attack Landscape Evolves Post-Shai Hulud Unit 42 (Palo Alto Networks) published an updated analysis on May 21, 2026 of the npm supply chain threat surface. The report details wormable malware capable of self-propagation across developer environments, CI/CD pipeline persistence techniques, and multi-stage attack chains. The findings highlight a significant escalation in attacker sophistication targeting software supply chains following the Shai Hulud campaign. DevSecOps teams and open-source maintainers are primary targets.
ShinyHunters Escalation Against Instructure: A Months-Long Campaign Krebs on Security (published within the past 4 days) revealed that the May 2026 Instructure breach was not an isolated incident but rather the planned escalation of an attack pattern. According to the analysis, threat actor ShinyHunters had been working against Instructure's environment for at least eight months prior to the May 2026 events — making what was initially framed as a Penn-specific story dramatically more significant.
State-Backed Ransomware Targeting OT and Critical Infrastructure A May 17, 2026 analysis from Industrial Cyber highlights escalating concern over state-backed ransomware activity targeting operational technology (OT) environments. A March 2026 Trellix assessment described the growing sophistication of Iran's cyber ecosystem, including use of affiliated groups and ransomware-style operations that blur the distinction between state-directed campaigns and criminal activity. Energy, manufacturing, and critical infrastructure sectors are at heightened risk.
Vulnerabilities & Patches
CVE-2026-45585 — Microsoft "YellowKey" BitLocker Bypass (CVSS 6.8) Microsoft released mitigations for a publicly disclosed BitLocker bypass tracked as CVE-2026-45585, dubbed "YellowKey," with a CVSS score of 6.8. This is a medium-severity issue, but the public availability of a working exploit increases its effective risk. Organizations relying on BitLocker for endpoint data protection should apply available mitigations promptly while awaiting a full patch.
Microsoft Defender Zero-Days (No CVE IDs Yet Published) Two separate Defender vulnerabilities, confirmed exploited in the wild, have now received patches from Microsoft. Full CVE details are pending publication. Security teams should verify Defender definition and platform updates are current across all endpoints.
Linux Kernel Privilege Escalation — CVE-2026-46333 (CVSS 5.5) Cybersecurity researchers disclosed a Linux kernel vulnerability, CVE-2026-46333, that remained undetected for nine years. The flaw is an improper privilege management issue that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of Debian, Fedora, and Ubuntu. Organizations running these distributions should monitor for available patches.
Breaches & Incidents
ShinyHunters — Instructure Multi-Month Compromise Confirmed Krebs on Security's investigation (published within past 4 days) reveals that the ShinyHunters threat actor had been working against Instructure's environment for a minimum of eight months before the widely reported May 2026 breach escalation. What was initially characterized as a Penn-specific incident has been confirmed as part of a broader, sustained attack pattern against Instructure's infrastructure, affecting educational institutions and their student data at scale. The full scope of the breach and response status continue to evolve.
Ransomware Frequency Rises Despite Declining Payments The 2026 Verizon Data Breach Investigations Report, discussed in a fresh analysis published approximately 6 hours ago by Paubox, found that ransomware appeared in 48% of all breaches — up from 44% the prior year. Notably, the trend shows that while ransomware prevalence is climbing, fewer organizations are paying ransoms, reflecting improved resilience and backup strategies.
Industry & Policy
CISA Confirms Defender Zero-Days Under Active Exploitation CISA has confirmed the Microsoft Defender zero-days are under active exploitation, elevating the urgency for organizations to apply Microsoft's latest security patches. CISA advisories typically trigger mandatory remediation timelines for federal civilian agencies and serve as strong guidance for the broader private sector.
Verizon DBIR 2026: Vulnerability Exploitation Now the Top Breach Vector The 2026 Verizon Data Breach Investigations Report marks a significant inflection point: vulnerability exploitation has overtaken credential theft as the leading breach vector. The report notes that AI is accelerating attacks, patching delays are worsening industry-wide, and ransomware plus third-party compromises continue to surge. This finding reshapes prioritization for security teams heading into the second half of 2026.
What to Watch
- npm ecosystem attacks hardening: With Unit 42 documenting wormable malware and CI/CD persistence in the npm supply chain, organizations should expect escalating supply chain compromises targeting developer pipelines — especially in the weeks following the Shai Hulud campaign analysis going public.
- SonicWall MFA bypass attempts likely to intensify: Active brute-force campaigns against SonicWall Gen6 SSL-VPN MFA represent a growing playbook for ransomware precursors; monitor for similar tactics targeting other VPN vendors.
- Linux kernel CVE-2026-46333 patch availability: With the nine-year-old privilege escalation flaw now public, expect rapid weaponization. Organizations running Debian, Fedora, and Ubuntu should treat patch availability as urgent when distributions release fixes.
Reader Action Items
- Patch immediately: Apply Microsoft's Defender updates for the two actively exploited zero-days and implement BitLocker bypass mitigations for CVE-2026-45585 across all Windows endpoints. Verify patch status organization-wide before end of day.
- Audit SonicWall VPN configurations: Review all SonicWall Gen6 SSL-VPN deployments for MFA hygiene — confirm MFA is enabled and functioning correctly, rotate VPN credentials, and review authentication logs for anomalous brute-force activity.
- Review npm and CI/CD dependencies: Given Unit 42's updated findings on wormable npm malware and pipeline persistence, audit your CI/CD toolchain for unexpected packages, enforce package lock files, and enable supply chain security scanning in build pipelines.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
