Previous Cyber Pulse

Cyber Pulse: Top 10 Cybersecurity Stories This Week

1. Microsoft May 2026 Patch Tuesday: 118–137 CVEs, No Zero-Days
Microsoft released its May 2026 Patch Tuesday fixes addressing between 118 and 137 vulnerabilities (counts vary slightly by vendor) across 20+ product families, including 16–31 marked Critical. Notably, this is the first Patch Tuesday since June 2024 with no zero-days actively exploited in the wild.
Source: BleepingComputer — https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/crowdstrike+2

2. Foxconn Ransomware Attack: Nitrogen Gang Claims 8TB of Data Stolen
Foxconn confirmed on May 12, 2026 that its North American manufacturing plants (primarily Mount Pleasant, Wisconsin) were hit by the Nitrogen ransomware group. The attackers claimed to have exfiltrated 8TB / 11+ million files including schematics tied to Apple, Google, Nvidia, Dell, and Intel. Production disruptions began as early as May 1 before public disclosure.
Source: TechCrunch / WIRED — https://techcrunch.com/2026/05/13/ransomware-hackers-claim-breach-at-foxconn/ | https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/ techcrunch+2

3. Instructure (Canvas LMS) Breach: ShinyHunters Claims 275 Million Records
Instructure, maker of the Canvas learning management system, confirmed a major data breach after ShinyHunters claimed to have stolen data from approximately 8,809 schools worldwide, affecting an estimated 275 million students, teachers, and staff. Exposed data includes names, email addresses, student IDs, and private messages. The attackers escalated by defacing hundreds of school login portals with ransom messages.
Source: LinkedIn / Check Point Research — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc | https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/ linkedin+1

4. Cisco Catalyst SD-WAN CVSS 10.0 Auth Bypass Actively Exploited
A maximum-severity authentication bypass vulnerability (CVE-2026-20182, CVSS 10.0) in Cisco Catalyst SD-WAN Controller and Manager was confirmed as actively exploited in May 2026. An unauthenticated remote attacker can abuse DTLS on UDP port 12346 to bypass authentication and gain full administrative privileges over the SD-WAN fabric. Cisco has released patches and urged immediate action.
Source: The Hacker News — https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.htmlthehackernews+1

5. Verizon 2026 DBIR Published: Ransomware Now in 44% of Breaches
Verizon released its 2026 Data Breach Investigations Report, finding ransomware present in approximately 44% of all breaches (up from 32% the prior year), while third-party involvement in breaches doubled year-over-year. Credential abuse remains the top entry vector, and AI-generated phishing text in malicious emails doubled over the past two years.
Source: Verizon / DIESEC — https://www.verizon.com/business/resources/reports/dbir/ | https://diesec.com/2026/05/top-5-cybersecurity-news-stories-may-15-2026/ verizon+2

6. Palo Alto PAN-OS CVE-2026-0300: Critical RCE Being Actively Exploited
Palo Alto Networks disclosed and confirmed active exploitation of CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (Captive Portal). Unauthenticated attackers can achieve root-level remote code execution on PA-Series and VM-Series firewalls. No user interaction or credentials are required; CISA added it to the Known Exploited Vulnerabilities (KEV) catalog.
Source: Wiz / Help Net Security — https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300 | https://www.helpnetsecurity.com/2026/05/06/palo-alto-firewalls-vulnerability-exploited-cve-2026-0300/ wiz+1

7. Best Western (BWH Hotels) Data Breach: Guest Data Exposed for 6 Months
BWH Hotels (parent of Best Western, WorldHotels, and SureStays) confirmed that hackers lurked inside its reservation web application from October 14, 2025 to April 22, 2026 — over six months — before detection. Stolen data includes guest names, emails, phone numbers, postal addresses, reservation numbers, dates of stay, and special requests. Payment data was not affected.
Source: Cybernews / TechRadar — https://cybernews.com/security/best-western-bwh-hotels-guest-data-breach/ | https://www.techradar.com/pro/security/best-western-hotels-warns-customers-reservation-data-may-have-been-spilled-in-breach cybernews+1

8. Exim Mail Server Critical RCE (CVE-2026-45185 “Dead.Letter”)
A critical use-after-free RCE vulnerability (CVE-2026-45185, CVSS 9.8) nicknamed “Dead.Letter” was disclosed in Exim mail transfer agent versions 4.97–4.99.2 on GnuTLS-compiled builds. An unauthenticated remote attacker can execute arbitrary code by sending a crafted TLS close_notify alert mid-BDAT transfer. Exim 4.99.3 patches the flaw; OpenSSL-based builds are not affected.
Source: BleepingComputer / runZero — https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/ | https://www.runzero.com/blog/exim-mail-servers/ bleepingcomputer+1

9. NuGet Supply Chain Attack: 65,000 Downloads of Infostealer Packages
Five malicious NuGet packages (published by account “bmrxntfj”) impersonating popular Chinese .NET UI libraries accumulated nearly 65,000 downloads. The packages embed an infostealer that harvests browser credentials from 12 browsers, SSH keys, cryptocurrency wallet data, and local files — targeting both developer workstations and CI/CD pipelines. The campaign is ongoing.
Source: Cyberpress / SOC Prime — https://cyberpress.org/nuget-malware-steals-secrets/ | https://socprime.com/active-threats/malicious-nuget-packages-steal-wallets-and-credentials/ cyberpress+2

10. Zara (Inditex) Data Breach: 197,400 Customer Records Exposed
Spanish fashion giant Zara confirmed unauthorized access to a database hosted by a former third-party technology provider. Have I Been Pwned confirmed 197,400 unique email addresses were exposed, along with product SKUs, order IDs, and support ticket data. ShinyHunters claimed responsibility and leaked a 140GB archive, though names, phone numbers, payment card data, and credentials were not exposed.
Source: Check Point Research / LinkedIn — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/ | https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc

Threat Radar: Top 10 Active Threats, APTs & Dark Web Alerts

1. Nitrogen Ransomware — Active Double-Extortion Group Hits Foxconn
Nitrogen ransomware (active since 2023, linked to Conti 2 leaked code and ALPHV/BlackCat cartel) claimed its most high-profile attack yet against Foxconn’s North American operations, stealing 8TB of data and deploying double-extortion tactics. The group typically targets supply-chain entry points and uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable AV tools before deployment.
Source: Hoplon InfoSec / Cybersecurity Dive — https://hoploninfosec.com/foxconn-ransomware-attack-nitrogen-breach | https://www.cybersecuritydive.com/news/foxconn-confirms-cyberattack-affecting-some-north-american-facilities/820120/ hoploninfosec+1

2. ShinyHunters — Prolific Extortion Group Targeting Education & Retail
ShinyHunters continued its rampage this week, claiming attacks against Instructure/Canvas (275M records), Zara (197K records), and NVIDIA GeForce NOW (Armenia region). The group leverages compromised authentication tokens (including Anodot tokens used in the Zara attack) and cloud infrastructure abuse to exfiltrate large-scale datasets from BigQuery and similar cloud databases.
Source: LinkedIn SecureFact / Check Point — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxcresearch.checkpoint+1

3. MuddyWater (Iran) — False Flag Ransomware Deployed as Espionage Cover
Iran-linked MuddyWater (Mango Sandstorm / Seedworm / Static Kitten), operating under Iran’s Ministry of Intelligence and Security (MOIS), ran a sophisticated false-flag operation using Microsoft Teams social engineering. Attackers impersonated IT support staff, convinced victims to grant remote access, deployed infostealers, altered MFA settings, and deployed Chaos ransomware as cover — while the real objective was credential theft and data exfiltration.
Source: The Hacker News / TechRadar — https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html | https://www.techradar.com/pro/security/iranian-hackers-launch-ransomware-campaign-looking-to-steal-details-via-microsoft-teams thehackernews+1

4. Handala (Iran-Linked Hacktivists) — Targeting UAE & Gulf Critical Infrastructure
Handala, an Iran-aligned hacktivist group, escalated operations against UAE and Gulf targets. The group claimed to have breached the Port of Fujairah (releasing 430,000 classified documents including oil pipeline maps and ship movement data) and previously conducted cyberattacks on Gulf steel producers (Foulath Holding, Bahrain and SULB) targeting industrial SCADA systems.
Source: YouTube / Cyble — https://www.youtube.com/watch?v=SpGEkq7hS24 | https://cyble.com/blog/middle-east-cyber-warfare-2026-hybrid-conflict/ YouTube​cyble​

5. BARADAI Ransomware — Newly Identified File-Encrypting Strain
CYFIRMA researchers identified BARADAI ransomware this week while monitoring underground forums. It is a file-encrypting malware strain that appends a distinct extension to compromised files, targets local systems and network resources, and supports a double-extortion model with a Tor-based leak site. Initial access vectors include phishing, social engineering, and vulnerability exploitation.
Source: CYFIRMA — https://www.cyfirma.com/news/weekly-intelligence-report-08-may-2026/cyfirma​

6. Silver Fox APT — Tax-Themed Phishing Delivering ABCDoor Backdoor
Researchers detailed a Silver Fox campaign targeting organizations in India and Russia with tax-themed phishing emails delivering the previously undocumented ABCDoor backdoor, ValleyRAT, and related malware. The campaign affected industrial, consulting, retail, and transportation sectors through more than 1,600 socially engineered messages.
Source: Check Point Research — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/research.checkpoint​

7. Sandworm (Russia GRU) — OT/ICS Lateral Movement Activity Detected
Russian state-linked Sandworm was reported moving from IT networks toward operational technology (OT) and industrial control system (ICS) environments, raising critical infrastructure alarms. The concern centers on leveraging existing footholds, unresolved vulnerabilities, and weak segmentation to approach energy, utilities, and manufacturing systems — where attacks can have physical-world consequences.
Source: LinkedIn Weekly Cyber Update — https://www.linkedin.com/pulse/weekly-update-cyber-news-week-ending-may-15th-2026-dr-jason-wrt6elinkedin​

8. Qilin Ransomware (RaaS) — Ongoing Operations with In-House Legal Services
Qilin, operating a mature Ransomware-as-a-Service model, continued active operations against US, Canadian, French, UK, and Italian targets. Notably, the group has innovated with in-house legal services to increase pressure on victims, alongside AI chatbot integrations to streamline victim communications. Their RaaS infrastructure provides affiliates with full tooling and support ecosystems.
Source: CYFIRMA / ISACA — https://www.cyfirma.com/news/weekly-intelligence-report-08-may-2026/ | https://www.isaca.org/resources/news-and-trends/industry-news/2026/ai-driven-ransomware-fuels-rise-in-new-cyberthreat-groups cyfirma+1

9. BlueNoroff (DPRK) — Social Engineering Targeting Crypto Organizations
North Korea-linked BlueNoroff was reported conducting targeted intrusions against Web3 and cryptocurrency organizations using fake Zoom meeting invitations that redirect to malicious interfaces. Attacks enable webcam capture, credential theft from cryptocurrency wallets, Telegram session hijacking, and persistence. Stolen data is reused to build more convincing deepfake lures.
Source: Help AG — https://www.helpag.com/top-middle-east-cyber-threats-06-may-2026/helpag​

10. RansomHouse — Claims Attack on Trellix Source Code Repository
The RansomHouse threat group claimed responsibility for attacking cybersecurity vendor Trellix’s source code repository, leaking a small set of images as proof of intrusion. The breach reportedly occurred on April 17, involving data encryption and exfiltration representing a double-extortion approach. The attack on a major security vendor’s code repository raises significant supply-chain concerns.
Source: LinkedIn SecureFact — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxc

Patch Priority: Top 10 Critical Vulnerabilities to Watch

1. CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass

• CVSS Score: 10.0 (Critical)
• Affected Products: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager (On-Prem, Cloud-Pro, Cloud, FedRAMP)
• Patch Status: Patches available — immediate patching required; active exploitation confirmed
• Details: Unauthenticated remote attacker can bypass authentication via DTLS on UDP port 12346 to gain full administrative privileges over the SD-WAN fabric.
  Source: The Hacker News — https://thehackernews.com/2026/05/cisco-catalyst-sd-wan-controller-auth.htmlthehackernews​

2. CVE-2026-42826 — Azure DevOps Information Disclosure

• CVSS Score: 10.0 (Critical)
• Affected Products: Microsoft Azure DevOps
• Patch Status: Patched via May 2026 Patch Tuesday
• Details: Critical information disclosure vulnerability that could expose sensitive DevOps pipeline data, secrets, and credentials.
  Source: CrowdStrike / Sophos — https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2026/ | https://www.sophos.com/en-us/blog/may-patch-tuesday-hauls-out-132-cves crowdstrike+1

3. CVE-2026-0300 — Palo Alto PAN-OS Captive Portal RCE

• CVSS Score: 9.8+ (Critical)
• Affected Products: Palo Alto PA-Series and VM-Series firewalls (PAN-OS with User-ID Authentication Portal)
• Patch Status: No fix available at initial disclosure; CISA KEV listed; mitigations available (restrict portal to trusted IPs)
• Details: Buffer overflow enabling root-level RCE by unauthenticated attackers sending specially crafted packets; actively exploited in the wild.
  Source: NVD / Wiz — https://nvd.nist.gov/vuln/detail/CVE-2026-0300 | https://www.wiz.io/blog/critical-vulnerability-in-pan-os-exploited-in-the-wild-cve-2026-0300 nvd.nist+1

4. CVE-2026-41089 — Windows Netlogon RCE (Wormable)

• CVSS Score: 9.8 (Critical)
• Affected Products: Windows Server (Domain Controllers)
• Patch Status: Patched via May 2026 Patch Tuesday
• Details: Stack-based buffer overflow allowing unauthenticated remote code execution on domain controllers. No credentials or user interaction required — classified as wormable. A compromised DC means a compromised domain.
  Source: Zero Day Initiative — https://www.thezdi.com/blog/2026/5/12/the-may-2026-security-update-reviewthezdi​

5. CVE-2026-45185 — Exim Mail Server RCE (“Dead.Letter”)

• CVSS Score: 9.8 (Critical)
• Affected Products: Exim 4.97–4.99.2 (GnuTLS builds with STARTTLS and CHUNKING enabled)
• Patch Status: Patched in Exim 4.99.3
• Details: Use-after-free vulnerability in BDAT/TLS handling enables unauthenticated remote code execution. OpenSSL builds are unaffected. Debian-based distributions are commonly affected.
  Source: BleepingComputer / runZero — https://www.bleepingcomputer.com/news/security/new-critical-exim-mailer-flaw-allows-remote-code-execution/ | https://www.runzero.com/blog/exim-mail-servers/ bleepingcomputer+1

6. CVE-2026-7482 — Ollama “Bleeding Llama” Memory Leak

• CVSS Score: 9.1 (Critical)
• Affected Products: Ollama before v0.17.1 (all versions with /api/create and /api/push enabled)
• Patch Status: Patched in Ollama v0.17.1
• Details: Heap out-of-bounds read in the GGUF model loader allows unauthenticated attackers to exfiltrate memory contents (API keys, system prompts, conversation data, environment variables). Estimated 300,000 internet-facing servers exposed.
  Source: NVD / Cyera — https://nvd.nist.gov/vuln/detail/CVE-2026-7482 | https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama nvd.nist+1

7. CVE-2026-33109 — Azure Managed Instance for Apache Cassandra RCE

• CVSS Score: 9.9 (Critical)
• Affected Products: Azure Managed Instance for Apache Cassandra
• Patch Status: Patched by Microsoft via cloud infrastructure update (no customer action needed)
• Details: Critical remote code execution vulnerability in Azure’s managed Cassandra service, highest severity in the Azure service RCE category this month.
  Source: Sophos / CrowdStrike — https://www.sophos.com/en-us/blog/may-patch-tuesday-hauls-out-132-cves | https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2026/ sophos+1

8. CVE-2026-31431 — Linux Kernel “Copy Fail” Local Privilege Escalation

• CVSS Score: 8.8 (High)
• Affected Products: Linux distributions using kernel versions released since 2017
• Patch Status: Kernel patch required; PoC available
• Details: Allows an unprivileged local user to gain full root access. Exploitation requires only a lightweight Python script with no race conditions or complex kernel offsets — significantly lower barrier than typical LPE flaws.
  Source: Integrity360 — https://www.integrity360.com/cyber-news-roundup-may-1st-2026integrity360​

9. CVE-2026-42823 — Azure Logic Apps Elevation of Privilege

• CVSS Score: 9.9 (Critical)
• Affected Products: Azure Logic Apps
• Patch Status: Patched by Microsoft via cloud infrastructure (no customer action needed)
• Details: Allows privilege escalation within Azure Logic Apps workflows, potentially enabling an attacker to gain unauthorized access to connected services and data.
  Source: Sophos Patch Tuesday — https://www.sophos.com/en-us/blog/may-patch-tuesday-hauls-out-132-cvessophos​

10. CVE-2026-41109 — GitHub Copilot & VS Code Security Feature Bypass

• CVSS Score: 8.8 (High)
• Affected Products: GitHub Copilot extension, Visual Studio Code
• Patch Status: Patched via May 2026 Patch Tuesday
• Details: Security feature bypass that could allow unauthorized code execution or security control circumvention in developer environments using GitHub Copilot integrated with VS Code — a highly targeted developer toolchain.
  Source: BleepingComputer / Sophos — https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/ | https://www.sophos.com/en-us/blog/may-patch-tuesday-hauls-out-132-cves

CVE Watch: Top 10 CVEs — Severity, Impact & Patch Status

CVE ID	Severity (CVSS)	Product	Impact	Source
CVE-2026-20182	Critical (10.0)	Cisco Catalyst SD-WAN Controller & Manager	Auth bypass → full admin control over SD-WAN fabric; actively exploited	The Hacker Newsthehackernews​
CVE-2026-42826	Critical (10.0)	Microsoft Azure DevOps	Information disclosure of sensitive pipeline secrets and data	CrowdStrikecrowdstrike​
CVE-2026-33109	Critical (9.9)	Azure Managed Instance for Apache Cassandra	Unauthenticated Remote Code Execution on Azure cloud service	Sophossophos​
CVE-2026-42823	Critical (9.9)	Azure Logic Apps	Elevation of Privilege on cloud workflow automation service	Sophossophos​
CVE-2026-41096	Critical (9.8)	Windows DNS Client	Heap buffer overflow → unauthenticated RCE via malicious DNS response	CrowdStrikecrowdstrike​
CVE-2026-41089	Critical (9.8)	Windows Netlogon (Domain Controllers)	Wormable RCE — stack-based buffer overflow; unauthenticated, no user interaction	Zero Day Initiativethezdi​
CVE-2026-45185	Critical (9.8)	Exim Mail Server 4.97–4.99.2 (GnuTLS)	UAF-based RCE via BDAT/TLS handling; unauthenticated; patched in 4.99.3	BleepingComputerbleepingcomputer​
CVE-2026-0300	Critical (9.8)	Palo Alto PAN-OS (PA-Series/VM-Series)	RCE with root privileges via Captive Portal buffer overflow; KEV listed; actively exploited	NVD / Wiznvd.nist​
CVE-2026-7482	Critical (9.1)	Ollama < 0.17.1 (GGUF model loader)	Memory leak — API keys, system prompts, conversations exfiltrated; 300K servers at risk	NVDnvd.nist​
CVE-2026-35428	Critical (9.6)	Azure Cloud Shell	Command injection/spoofing; unauthenticated remote attacker; patched by Microsoft cloud update	CrowdStrikecrowdstrike

Attack Tracker: Top 10 Cyber Attacks (UAE, Gulf & Global)

1.  UAE — 600,000 Daily AI-Powered Cyberattacks as Regional Conflict Escalates
The UAE Cyber Security Council confirmed that daily cyberattack volumes have tripled to approximately 600,000 per day since the regional escalation in late February 2026. Authorities have identified 350 organized groups, 320 amateur hackers, and 120 malware-linked entities actively targeting UAE government systems, financial services, ports, and public utilities. Iranian actors using AI-powered deepfakes and wiper viruses pose the greatest risk.
Source: Analytics Insight UAE / Gulf News — https://www.analyticsinsight.ae/news/uae-cyberattacks-triple-to-600000-a-day-as-gulf-financial-hubs-become-conflict-target | https://gulfnews.com/uae/government/uae-issues-warning-as-iran-deploys-ai-for-cyber-attacks-1.500525604 analyticsinsight+1

2.  UAE — Handala Claims Breach of Port of Fujairah, 430K Documents Leaked
Iran-linked Handala hacker group claimed to have breached the Port of Fujairah ahead of missile and drone strikes on the strategic oil hub. The group alleged it exfiltrated over 430,000 classified documents including oil pipeline maps, ship movement data, and financial records, which it claimed were shared with IRGC-linked military units. The group warned Abu Dhabi to cease cooperation with the US and Israel.
Source: YouTube / Cyble — https://www.youtube.com/watch?v=SpGEkq7hS24 | https://cyble.com/blog/middle-east-cyber-warfare-2026-hybrid-conflict/ YouTube​cyble​

3.  UAE /  Bahrain — DieNet Pro-Iran Group DDoS Attacks on Gulf Airports & Banks
Pro-Iran hacktivist group DieNet claimed responsibility for DDoS attacks targeting airports and financial institutions across the Gulf, including an airport in the UAE, Sharjah Airport in Saudi Arabia, Riyadh Bank, the Bank of Jordan, and a Bahrain airport. The group publicizes attacks via its Telegram board as part of a coordinated digital pressure campaign aligned with Iran’s regional posture.
Source: Palo Alto Unit 42 — https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/unit42.paloaltonetworks​

4.  Bahrain /  Saudi Arabia — 800% Surge in Cyberattacks Post-Iran Conflict
Cyberattacks targeting Bahrain and Gulf neighbours surged 800% during March 2026 compared to February, with the trend continuing into May. Digital campaigns heavily targeted Israel (36% of strikes), UAE (21%), and Bahrain (14%), with the heaviest hits landing on public sector, banking, and telecommunications. Iranian-aligned hacktivists conducted DDoS campaigns against US-aligned Gulf states hosting American military installations.
Source: Gulf Daily News — https://www.gdnonline.com/Details/1380549gdnonline​

 Global

5.  Foxconn — Nitrogen Ransomware Disrupts North American Manufacturing
The Nitrogen ransomware gang hit Foxconn’s North American operations (confirmed May 12), causing a two-week network collapse at the Mount Pleasant, Wisconsin plant. The attackers claimed to have stolen 8TB / 11 million files including confidential project data tied to Apple, Google, Nvidia, Dell, and Intel. The double-extortion attack underscores supply-chain vulnerability in global electronics manufacturing.
Source: TechCrunch / WIRED — https://techcrunch.com/2026/05/13/ransomware-hackers-claim-breach-at-foxconn/ | https://www.wired.com/story/foxconn-ransomware-attack-shows-nothing-is-safe-forever/ techcrunch+1

6.  Instructure / Canvas LMS — 275 Million Education Records Compromised
ShinyHunters breached Instructure’s cloud environment serving Canvas LMS, compromising data from 8,809 schools, colleges, and universities worldwide. Beyond data theft, attackers defaced hundreds of school login portals with ransom messages, escalating pressure on the educational technology company. The incident represents one of the largest education-sector breaches in history.
Source: LinkedIn SecureFact / Check Point — https://www.linkedin.com/pulse/securefact-cyber-security-news-week-may-11-2026-magedatadotai-glfxclinkedin+1

7.  Best Western (BWH Hotels) — 6-Month Undetected Intrusion into Reservation Systems
Hackers infiltrated BWH Hotels’ guest reservation system in October 2025 and remained undetected for over six months, exfiltrating reservation data for tens of thousands of guests. The breach exposed names, email addresses, phone numbers, postal addresses, and full reservation details. The long dwell time raises serious concerns about detection gaps in the hospitality sector.
Source: Cybernews — https://cybernews.com/security/best-western-bwh-hotels-guest-data-breach/cybernews​

8.  Water Infrastructure — Hackers Access Industrial Controls at Public Water Plants
Researchers and responders reported active intrusions into water facility industrial control systems, with attackers testing access to programmable logic controllers and SCADA systems. The incidents coincide with Sandworm activity targeting OT environments, raising physical-world safety concerns as hackers probe the boundary between cyber and operational disruption in critical infrastructure.
Source: LinkedIn Daily Cyber News — https://www.linkedin.com/pulse/daily-cyber-news-may-11th-2026-dr-jason-edwards-dm-cissp-crisc-f0neelinkedin​

9.  MuddyWater (Iran) — Microsoft Teams Social Engineering Espionage Campaign
Iran’s MuddyWater executed a false-flag ransomware campaign using Microsoft Teams, impersonating IT support staff via a deceptive Microsoft 365 tenant domain (e.g., “sarahwilson@seqhelpsitdevsupportops.onmicrosoft.com“). Victims were tricked into executing a malicious MSI installer (Dindoor backdoor), followed by credential theft, MFA modification, data exfiltration, and Chaos ransomware deployment as cover.
Source: The Hacker News / CyberProof — https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html | https://www.cyberproof.com/blog/iranian-apt-seedworm-targets-global-organizations-via-microsoft-teams/ thehackernews+1

10.  Hungarian Mediaworks — World Leaks Posts 8.5TB of Internal Files
Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The World Leaks group posted 8.5TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications. The attack demonstrates the continued targeting of media organizations in geopolitically sensitive regions.
Source: Check Point Research — https://research.checkpoint.com/2026/11th-may-threat-intelligence-report/

AI Watch: Top 10 AI Innovations Shaping Cyber & Tech

1. OpenAI Launches GPT-5.5 Instant as Default ChatGPT Model
OpenAI released GPT-5.5 Instant on May 5, 2026 as the new default model for all ChatGPT users, replacing GPT-5.3 Instant. The model reduces hallucinations in sensitive domains (law, medicine, finance), scores 81.2 on AIME 2025 (vs. 65.4 for predecessor), and achieves 76 on MMMU-Pro multimodal reasoning. It also introduces stronger personalization based on user conversation history.
Source: TechCrunch / OpenAI — https://techcrunch.com/2026/05/05/openai-releases-gpt-5-5-instant-a-new-default-model-for-chatgpt/ | https://openai.com/index/introducing-gpt-5-5/ techcrunch+1

2. OpenAI Launches GPT-5.5-Cyber: Security-Focused AI Model
On May 7, 2026, OpenAI announced GPT-5.5-Cyber, a limited-preview variant available to vetted cybersecurity teams under its “Trusted Access for Cyber” program. The model is purpose-built for vulnerability analysis, secure code review, and threat assessment workflows, becoming the first OpenAI model with a dedicated cybersecurity use case designation.
Source: Wikipedia / YouTube — https://en.wikipedia.org/wiki/GPT-5.5 | https://www.youtube.com/watch?v=8IzqzUQYqzE wikipedia​YouTube​

3. OpenAI Releases Three New Real-Time Voice Models
OpenAI launched three new real-time API voice models this week: GPT-Realtime-2 (GPT-5 class reasoning for real-time speech), GPT-Realtime-Translate (live speech-to-speech translation across 70+ languages), and GPT-Realtime-Whisper (live transcription). These models transition voice AI from “demo-ready” to production-grade, enabling complex multi-step voice agents.
Source: YouTube API Week Coverage — https://www.youtube.com/watch?v=8IzqzUQYqzEyoutube+1

4. Anthropic Releases Claude Opus 4.7 Fast Mode + Claude for Small Business & Legal
Anthropic released Fast mode for Claude Opus 4.7 in research preview, available through the API and top coding IDEs (Cursor, Windsurf, Warp). The company also launched Claude for Small Business (workflow automation across finance, ops, HR) and Claude for Legal (12 plugins + 20+ MCP connectors for legal practice areas), extending its enterprise footprint significantly.
Source: LinkedIn AI Daily Briefing — https://www.linkedin.com/pulse/ai-daily-briefing-thursday-14th-may-2026-david-wright-z3dlelinkedin​

5. Anthropic Secures SpaceX Compute Partnership, Raises Usage Limits
Anthropic announced a partnership with SpaceX for substantially expanded compute capacity, allowing it to raise usage limits for Claude Code and the Claude API. Anthropic’s annualized revenue had crossed $24 billion by April 2026 (vs. OpenAI’s ~$19B), and the company has received investment offers valuing it above $710 billion.
Source: Anthropic — https://www.anthropic.com/news/higher-limits-spacexanthropic+1

6. Google Unveils “Gemini Intelligence” Platform at Android Show 2026
On May 12, 2026, Google unveiled a major paradigm shift at the Android Show 2026, moving away from traditional operating systems toward an “intelligence system” powered by Gemini. Android devices will feature agentic workflows that proactively execute multi-step tasks across apps (e.g., auto-converting a grocery list image to a delivery cart). Google also launched the Googlebook laptop running “Aluminium OS” with an AI-enhanced Magic Pointer cursor built with DeepMind.
Source: Champaign Magazine AI Weekly — https://champaignmagazine.com/2026/05/17/ai-by-ai-weekly-top-5-may-11-17-2026/champaignmagazine​

7. xAI Grok 4.3: Multimodal AI with 2M Token Context Window
xAI’s Grok 4.3 reached broader API availability in early May 2026, featuring native video understanding, expanded context windows of up to 2 million tokens, improved multi-step reasoning and instruction following, voice generation and voice-cloning tools, and support for generating PDFs, spreadsheets, and presentations. It tops Artificial Analysis leaderboards in agentic tool calling and ranks #1 on enterprise domains (case law, corporate finance).
Source: Times of AI / Oracle OCI Blog — https://www.timesofai.com/news/grok-4-3-all-new-features-explained/ | https://blogs.oracle.com/ai-and-datascience/whats-new-in-ai-may-2026 timesofai+1

8. Stanford 2026 AI Index: Cybersecurity Agent Accuracy Reaches 93%
The Stanford HAI 2026 AI Index Report revealed that AI cybersecurity agent accuracy jumped from 15% to 93% in one year; SWE-bench performance (real GitHub bugs) rose from 60% to near 100%; global AI investment reached $581.7 billion (up 130%); and generative AI reached 53% population adoption — faster than the PC or the internet. The UAE achieved 54% genAI adoption, ranking above the US average.
Source: Stanford HAI / Reddit — https://hai.stanford.edu/ai-index/2026-ai-index-report | https://www.reddit.com/r/ArtificialInteligence/comments/1sncv1j/the_stanford_ai_index_report_of_2026_has_some/ hai.stanford+1

9. MIT Technology Review: Sovereign AI Delivers 5x ROI for Enterprises
A new MIT Technology Review Insights report (published May 14, 2026, in partnership with EnterpriseDB) found that enterprises “deeply committed” to AI and data sovereignty deliver 5x the ROI from generative and agentic AI initiatives, with a 0.93 correlation between sovereignty commitment and AI success. Over half of enterprises already have AI agents in production. Security and resilience (85%), data localization (74%), and ownership/control (72%) are the top sovereignty drivers.
Source: PR Newswire / MIT Tech Review — https://www.prnewswire.com/news-releases/sovereignty-is-the-new-operating-system-for-agentic-ai-new-mit-technology-review-insights-reportprnewswire​

10. Sakana AI Unveils “RL Conductor”: Reinforcement Learning for Multi-Model Orchestration
Sakana AI introduced RL Conductor, a 7B parameter orchestration model trained through reinforcement learning to dynamically coordinate multiple frontier AI systems (GPT-5, Claude Sonnet 4, Gemini 2.5 Pro, and open-source models). Rather than rigid workflows, the model automatically routes tasks based on each model’s strength — representing a significant step toward autonomous multi-agent AI systems at production scale.
Source: MarketingProfs AI Update — https://www.marketingprofs.com/opinions/2026/54786/ai-update-may-15-2026-ai-news-and-views-from-the-past-weekmarketingprofs