Article Read Time
1. Megalodon Supply Chain Attack Poisons 5,500+ GitHub Repositories in Six Hours
On May 18, an automated campaign dubbed “Megalodon” pushed 5,718 malicious commits to 5,561 GitHub repositories in a single six-hour window — one of the most aggressive open-source supply chain attacks ever recorded. Using throwaway accounts with forged identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads designed to exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a command-and-control server. By May 21, the attacker’s ingest server had collected over 575,000 stolen files totaling 449 GB of exfiltrated data. Notable victims include Tiledesk, which was hit across nine repositories, with the compromise propagating to npm through routine publishes by the legitimate maintainer.
Source: The Hacker News | BleepingComputer
2. Drupal Critical SQL Injection (CVE-2026-9082) Exploited Within 48 Hours of Disclosure
A highly critical SQL injection vulnerability in Drupal core was disclosed on May 20, and attackers wasted no time. Within two days, security researchers observed over 15,000 exploitation attempts targeting nearly 6,000 sites across 65 countries. The flaw, which affects all Drupal versions from 8.9.0 through 11.3.9 running PostgreSQL, allows unauthenticated attackers to execute arbitrary SQL queries — opening the door to data theft, privilege escalation, and remote code execution. CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog on May 22, underscoring the urgency. Drupal has released patches across every supported branch, and administrators running PostgreSQL-backed sites are strongly urged to update immediately.
Source: SecurityAffairs | Drupal.org Advisory
3. Laravel-Lang PHP Packages Hijacked to Deploy Cross-Platform Credential Stealer
On May 22, attackers with push access to the Laravel-Lang GitHub organization rewrote every Git tag across multiple popular Composer packages within a 15-minute window. More than 700 malicious versions were published in rapid succession across packages including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. The injected payload — a helpers.php file wired into Composer’s autoload — runs silently on every PHP request, reaching out to an attacker-controlled domain to download a cross-platform credential stealer. The malware scrapes cloud keys, Kubernetes and Vault secrets, CI/CD tokens, SSH material, browser data, password manager vaults, crypto wallets, and messaging tokens. Packagist responded by pulling the malicious versions and temporarily unlisting the affected packages.
Source: The Hacker News | BleepingComputer
4. Instructure Pays Ransom After ShinyHunters Steal 3.65 TB from Canvas LMS
The fallout from the massive Canvas learning management system breach continued this week as new details emerged about Instructure’s ransom agreement with the ShinyHunters hacking group. After initially claiming the breach was resolved on May 6, Canvas was compromised a second time on May 7 — its login page replaced with a ransomware message. ShinyHunters claimed to possess 3.65 terabytes of data from approximately 275 million users across 8,809 educational institutions worldwide, including private messages between students and teachers. Instructure reached an agreement on May 11, one day before the hackers’ leak deadline, with unconfirmed reports suggesting a payment of $10 million. This incident stands as the largest educational security breach on record, and its timing during final exam periods at many institutions compounded the disruption.
Source: The Hacker News | CNN
5. Pwn2Own Berlin 2026 Yields 47 Zero-Days and $1.3 Million in Payouts
The annual Pwn2Own hacking competition wrapped up in Berlin on May 16, with security researchers earning $1,298,250 for demonstrating 47 previously unknown vulnerabilities across enterprise and AI targets. Highlights included DEVCORE’s Orange Tsai chaining three bugs to achieve remote code execution with SYSTEM privileges on Microsoft Exchange ($200,000), STARLabs SG exploiting a memory corruption flaw in VMware ESXi ($200,000), and multiple successful attacks against Windows 11, Microsoft Edge, Red Hat Enterprise Linux, and — for the first time — AI inference platforms like LiteLLM. DEVCORE took home the Master of Pwn title with $505,000 in total earnings. The inclusion of AI and LLM categories signals a significant shift in the threat landscape, as attackers and defenders alike turn their attention to the rapidly expanding AI infrastructure.
Source: BleepingComputer | SecurityWeek