Latest news as of 5/19/2026, 7:04:30 AM
The Hacker News
Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly
The Hacker News
In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,
Have I Been Pwned
In April 2026, . The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel. data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum
The Register
While also spoofing all the trusted domains - Apple, Microsoft, and Google - in the same attack
Bleeping Computer
More than 200 individuals were arrested for cybercrime activities during INTERPOL's Operation Ramz, which focused on the Middle East and North Africa. [...]
The Register
Plus three other stealers in three other packages, all from the same scumbag
Dark Reading
CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.
Have I Been Pwned
In March 2026, the Colombian fintech company and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points. Addi identified unauthorised activity on its platform ShinyHunters subsequently claimed responsibility
Dark Reading
The now patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence.
Bleeping Computer
A new variant of the 'SHub' macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor. [...]