TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.
TeamPCP, the group behind the March Trivy breach and Shai-Hulud npm worm, used credentials stolen in that March attack to publish a backdoored version of Checkmarx's Jenkins AST plugin to the Jenkins Marketplace. This is the third Checkmarx supply-chain hit since late March. The rogue version 2026.5.09 went up on May 9, outside Checkmarx's normal release process - no git tag, no GitHub release. Checkmarx says its GitHub repos are isolated from customer production and no customer data is stored there, but anyone who installed the bad plugin should assume their CI credentials are compromised, rotate them all, and hunt for lateral movement.
The TrickMo Android banking malware now routes its command-and-control through The Open Network (TON), the decentralized peer-to-peer network originally built around Telegram, making the C2 infrastructure much harder to identify or take down. ThreatFabric (which tracks this variant as Trickmo.C) has been watching it since January in campaigns hitting users in France, Italy, and Austria. The malware disguises itself as TikTok or streaming apps and steals banking credentials and crypto wallet keys via phishing overlays, keylogging, SMS interception, OTP suppression, and live screen recording. The new variant also adds SSH tunneling, port forwarding, and SOCKS5 proxy commands, turning infected phones into a pivot point.
A researcher at Israel Aerospace Industries published a proof-of-concept tool called GhostLock that uses a legitimate Windows API call to make files unreadable without encrypting anything. The technique abuses the dwShareMode parameter of CreateFileW - setting it to 0 grants the calling process exclusive access, so every other user or app trying to open the file gets a sharing violation. GhostLock automates this recursively across SMB shares from a standard domain user account, no elevation required. Researcher Kim Dvash frames it as a disruption attack, not destructive - data is not lost, but operational downtime can mirror a ransomware incident.
QiAnXin XLab has tied the ongoing exploitation of cPanel's CVE-2026-41940 to a previously-quiet threat actor it tracks as Mr_Rot13, who has been operating since at least 2020. The attack chain exploits the cPanel and WHM authentication bypass to drop a Go-based infector that adds an attacker SSH key, plants a PHP web shell, and serves a fake login page to steal cPanel credentials (ROT13-encoded, exfiltrated to wrned[.]com). The final payload is a cross-platform backdoor called Filemanager that runs on Windows, macOS, and Linux. XLab counts over 2,000 attacker source IPs currently scanning for this flaw.
Hackers are buying Google ads that look like they go to claude.ai - and they do go to a real claude.ai page. But the page is a shared Claude chat dressed up as 'Apple Support' walking users through installing Claude on a Mac. The instructions tell people to paste a command into Terminal that quietly downloads MacSync, a Mac infostealer that grabs saved browser passwords, cookies, and contents of macOS Keychain (where Mac stores logins and keys). Because both the ad and the page are real claude.ai links, there is no fake domain to spot. Researcher Berk Albayrak first reported the campaign; BleepingComputer found a second active variant.
JDownloader's official website was compromised between May 5-7 and the alternative Windows installer plus the Linux shell installer were replaced with malware. The Windows payload is a Python-based remote access trojan; the Linux installer establishes root persistence and pulls additional binaries. Attackers exploited an unpatched flaw in the website's CMS that let them change download links without authentication. macOS downloads, Flatpak/Winget/Snap packages, and the main JDownloader.jar weren't touched. Third 'trusted software site' hijacked in 30 days after CPUID (CPU-Z, HWMonitor) in April and DAEMON Tools last week.
HiddenLayer disclosed a malicious Hugging Face repository called Open-OSS/privacy-filter that typosquatted OpenAI's legitimate Privacy Filter project. The repo copied the original model card almost verbatim and shipped a loader.py file that, on Windows, fetched and executed an infostealer. The repo briefly hit Hugging Face's trending list at #1 and accumulated 244,000 downloads before the platform pulled it on May 7. The loader runs in an invisible PowerShell window, escalates privileges, adds itself to Microsoft Defender exclusions, and deploys Sefirah - a Rust-based infostealer that targets browser credentials, Discord tokens, cryptocurrency wallets, and SSH keys.
Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.
Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.
TrustStrike Labs