ShinyHunters Breaches Millions at Charter &amp; Carnival; Microsoft Zero-Days Actively Exploited in the Wild

Charter Communications Investigates Data Breach Affecting 4.9 Million After ShinyHunters Claims Responsibility

U.S. telecom giant Charter Communications is investigating a significant data breach impacting 4.9 million customer accounts. The notorious extortion group ShinyHunters has claimed responsibility, alleging they initiated the breach on April 1, 2026, through a voice phishing (vishing) attack on an employee. This allowed them to compromise a Microsoft Entra account and gain access to the company's Salesforce instance, from which they claim to have exfiltrated customer data including names, addresses, and phone numbers. While Charter acknowledges the incident, it disputes that sensitive personal information was stolen, creating a conflict between the company's statement and the threat actor's claims, which are partially substantiated by data breach notification services.

vishingsocial engineeringidentity and access managementcloud securityextortion

ShinyHunters Claims 4.9M Charter Communications Accounts Stolen via Vishing Attack

CISA Issues Urgent Advisories for Critical Flaws in ICS and OT Devices

CRITICAL

CISA Releases Multiple Advisories for Critical Vulnerabilities in Industrial Control Systems and Operational Technology

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a series of advisories warning of critical vulnerabilities in widely deployed Industrial Control Systems (ICS) and Operational Technology (OT). The flaws affect products from vendors including Jinan USR, ABB, and Schneider Electric. One of the most severe is CVE-2026-7786, a 9.8 CVSS vulnerability in a Jinan USR IoT converter caused by hard-coded administrator credentials, which could allow an attacker to gain full device control. CISA emphasizes the need for network segmentation and defense-in-depth, as some vendors have been unresponsive, leaving systems at risk of remote code execution and device takeover in critical sectors.

ICSOTSCADAcritical infrastructurefirmware +1 more

Active Exploitation of Critical FortiClient EMS Flaw (CVE-2026-35616) Used to Deploy Credential Stealers

CRITICAL

Threat Actors Exploit FortiClient EMS Vulnerability (CVE-2026-35616) to Distribute Malware

A critical, now-patched vulnerability in Fortinet's FortiClient Endpoint Management Server (EMS), tracked as CVE-2026-35616, is being actively exploited by threat actors. The flaw, rated 9.1 on the CVSS scale, allows for a pre-authentication API access bypass, leading to privilege escalation. Attackers are leveraging this access to modify endpoint policies and push malicious PowerShell scripts to all connected endpoints. This effectively turns the EMS, a security management tool, into a malware distribution system, deploying credential-stealing payloads disguised as legitimate Fortinet updates. Organizations using FortiClient EMS are urged to update to version 7.4.7 or later immediately.

FortinetFortiClientactive exploitationcredential stealerPowerShell +1 more

7 min read

Active Exploitation of Critical FortiClient EMS Flaw (CVE-2026-35616) Used to Deploy Credential Stealers

New npm Typosquatting Campaign Pushes Malware to Steal AWS and CI/CD Secrets

Microsoft Uncovers Active Typosquatting Campaign on npm Targeting Developer Credentials

The Microsoft Security team has identified an active supply chain attack on the npm ecosystem, where a threat actor published 14 malicious, typosquatted packages designed to steal developer secrets. The packages, published by an actor using the alias 'vpmdhaj,' mimic legitimate libraries related to OpenSearch and DevOps. They use a 'preinstall' hook to execute a payload that harvests sensitive information from the developer's environment, including AWS credentials, HashiCorp Vault tokens, and npm publish tokens. The campaign highlights the ongoing threat of typosquatting in open-source repositories and the risk to cloud and CI/CD infrastructure.

npmtyposquattingsupply chain attackdeveloper securitycredential theft +1 more

New npm Typosquatting Campaign Pushes Malware to Steal AWS and CI/CD Secrets

Microsoft Pushes Mandatory Secure Boot Update as 2011 Certificates Expire

MEDIUM

Microsoft Rolls Out Critical Secure Boot Certificate Refresh; Older PCs May Face Issues

Microsoft is deploying a mandatory update for Windows Secure Boot as the original certificates issued in 2011 are set to expire starting in June 2026. The update, delivered via Windows Update, rolls out new 2023-dated certificates to serve as the trust anchor for the boot process, hardening systems against threats like the BlackLotus UEFI bootkit. While the transition is designed to be seamless for most modern PCs, there are concerns that older devices or systems with outdated firmware may not apply the update correctly. This could leave them unable to receive future boot-level security protections, creating a hidden vulnerability.

Secure BootWindowsUEFIfirmwarecertificate +1 more

Microsoft Pushes Mandatory Secure Boot Update as 2011 Certificates Expire

California Sues 23andMe Over 2023 Breach, Alleging Major Security and Privacy Failures

California Attorney General Files Lawsuit Against 23andMe for 2023 Data Breach

California's Attorney General, Rob Bonta, has filed a lawsuit against genetic testing company 23andMe in response to its massive 2023 data breach. The breach, a result of a credential stuffing campaign, ultimately exposed the data of 6.9 million individuals. The lawsuit alleges that 23andMe failed to maintain reasonable security practices, made misleading statements about its security, and violated multiple state privacy laws, including the California Consumer Privacy Act (CCPA) and the Genetic Information Privacy Act. The state is seeking millions of dollars in civil fines for the alleged violations.

23andMeCCPAdata privacylawsuitcredential stuffing +1 more

California Sues 23andMe Over 2023 Breach, Alleging Major Security and Privacy Failures

Industrial Acceptance Corp. Notifies 79k Individuals of Data Breach by INC Ransomware Over a Year Later

Industrial Acceptance Corp. Discloses Ransomware Breach Affecting 79,216 Individuals

The consumer finance company Industrial Acceptance Corp. (IAC) has begun notifying 79,216 individuals that their sensitive personal information was compromised in a ransomware attack attributed to the 'INC' ransomware group. The breach was first detected in early March 2025, but notification letters were not sent until May 28, 2026, over 14 months later. The company confirmed that the attackers exfiltrated files containing full names, Social Security numbers, and driver's license numbers. The lengthy delay between detection and notification raises questions about the company's incident response process.

ransomwareINC ransomwaredata breachdouble extortionfinancial services

Industrial Acceptance Corp. Notifies 79k Individuals of Data Breach by INC Ransomware Over a Year Later

Researchers Detail New 'Gines' Ransomware Variant Linked to Makop Family

MEDIUM

New 'Gines' Ransomware Emerges, Associated with Makop Ransomware Family

Threat intelligence researchers from CYFIRMA have identified a new strain of file-encrypting malware called 'Gines' ransomware. Analysis suggests Gines is a variant of the notorious Makop ransomware family. It operates on a double-extortion model, first exfiltrating victim data before encrypting files on Windows systems and network shares. Encrypted files are appended with a '.gines' extension, and a ransom note named '+README-WARNING+.txt' is dropped, instructing victims to contact the attackers via an Outlook email address. No public decryptor is currently available.

ransomwareGinesMakopthreat intelligencemalware analysis +1 more

Researchers Detail New 'Gines' Ransomware Variant Linked to Makop Family

Chinese APTs Exploit Middle East Conflict for Cyber-Espionage in Maritime and Energy Sectors

ESET: Chinese Hacking Groups Leverage Middle East Tensions to Target Maritime and Energy Entities

A new report from ESET reveals that China-aligned Advanced Persistent Threat (APT) groups are capitalizing on geopolitical instability in the Middle East to conduct cyber-espionage campaigns. These state-sponsored actors are targeting maritime, energy, and government entities in the Gulf region to gather strategic intelligence. The report, covering late 2025 to early 2026, details activities by groups like FamousSparrow and SteppeDriver, whose targets in Venezuela, Syria, and South Korea align directly with Beijing's economic and strategic interests, such as its 'Made in China 2025' policy. The activity demonstrates a clear pattern of using cyber operations as a tool of statecraft.

APTcyber espionagenation-stateChinamaritime security +1 more

Chinese APTs Exploit Middle East Conflict for Cyber-Espionage in Maritime and Energy Sectors

Updated Articles (3)

Researcher Leaks Two Windows Zero-Day Exploits, 'YellowKey' and 'GreenPlasma', Amid Dispute with Microsoft

CRITICAL

Angry Researcher Drops Two Windows Zero-Day Exploits, Citing Frustration with Microsoft's MSRC

Update:

The dispute between Microsoft and Chaotic Eclipse has escalated, with three more zero-day vulnerabilities now confirmed as actively exploited: CVE-2026-33825 (BlueHammer), CVE-2026-41091 (RedSun), and CVE-2026-45498 (UnDefend). These flaws, including a Windows Defender bypass, have been added to CISA's Known Exploited Vulnerabilities catalog, mandating urgent action. GitHub and GitLab have also removed the researcher's accounts. This expands the scope of actively exploited flaws beyond YellowKey and GreenPlasma, significantly increasing the overall risk and confirmed impact.

May 14, 2026

Updated: May 29, 2026

Zero-DayWindowsVulnerabilityExploitYellowKey +4 more

Researcher Leaks Two Windows Zero-Day Exploits, 'YellowKey' and 'GreenPlasma', Amid Dispute with Microsoft

GlassWorm Malware Infrastructure Dismantled in Coordinated Takedown

CrowdStrike, Google, and Shadowserver Disrupt "GlassWorm" Developer-Targeted Supply Chain Attack

Update:

New details reveal the Glassworm botnet employed a highly resilient, quad-redundant command-and-control (C2) infrastructure. This included a novel method of embedding C2 server addresses in Solana blockchain transaction memo fields, utilizing BitTorrent DHT, and leveraging Google Calendar events, alongside traditional VPS. This sophisticated approach made the botnet exceptionally resistant to conventional takedown efforts, highlighting the advanced capabilities of the threat actors.

May 27, 2026

Updated: May 29, 2026

glasswormsupply chain attacktakedowncrowdstrikegoogle +3 more

GlassWorm Malware Infrastructure Dismantled in Coordinated Takedown

Carnival Cruise Data Breach Exposes Nearly 6 Million Customers; ShinyHunters Claims Responsibility

Carnival Corporation Confirms Massive Data Breach Affecting 6 Million Individuals After Phishing Attack

Update:

This update clarifies the 'cybersecurity event' date as April 14, 2026. It raises concerns that the 'personal information' compromised could include highly sensitive data like passport numbers, Social Security numbers, and financial information, based on ShinyHunters' tactics and Carnival's vague disclosure. The article also emphasizes that this is Carnival's fifth reported cybersecurity incident since 2019 and specifically notes the potential for significant regulatory fines under GDPR. New hunting hints and mitigation strategies, such as phishing-resistant MFA and continuous training, are also suggested.

May 28, 2026

Updated: May 29, 2026