The dark web marketplace B1ack's Stash has released 4.6 million stolen credit card records for free after suspending sellers who violated its policies by reselling data on competing platforms. According to cybersecurity firm SOCRadar, the data includes complete card details, CVV codes, cardholder information, and addresses, with about 70% of the cards originating from the United States. The leaked information creates significant risks beyond simple card fraud, potentially enabling cybercriminals to conduct identity theft, open fraudulent accounts, and launch sophisticated phishing attacks.

ChromaDB, a popular open-source vector database used for AI applications with around 13 million monthly downloads, has an unpatched vulnerability that could allow attackers to completely take over servers without authentication. The flaw, tracked as CVE-2026-45829 and nicknamed ChromaToast, lets attackers exploit the system by supplying a malicious model through HuggingFace that executes before the server performs its authentication checks, giving hackers full control and access to sensitive data including API keys and files. Security researchers say they've been trying to alert Chroma about this critical vulnerability since November 2025 with no response, and roughly 73 percent of internet-accessible ChromaDB deployments running version 1.0.0 or later remain vulnerable.

A decades-old Windows utility called MSHTA is driving a sharp rise in silent malware attacks, according to BitDefender researchers who detected dramatic increases in abuse since the start of this year. The Microsoft-signed tool, originally designed to run HTML applications, is being exploited by attackers as a "Living-off-the-Land binary" to deliver everything from cryptocurrency-stealing malware to advanced persistent threats like PurpleFox, typically through social engineering tactics that trick users into executing malicious commands. Security experts say the primary defense is user awareness training combined with blocking access to these legacy binaries unless they're absolutely necessary for business operations.

A malicious version of the popular NX Console extension, version 18.95.0, was released targeting Visual Studio Code developers with credential-stealing malware. The compromised extension, which is used for development workflow management, represents a supply chain attack aimed at harvesting sensitive information from unsuspecting developers who installed the tainted update. This incident highlights the growing threat to developer tools and the software supply chain, where attackers target widely-used extensions to gain access to credentials and potentially compromise multiple downstream projects.

Multiple critical security vulnerabilities have been discovered in SEPPMail's Secure E-Mail Gateway that could allow attackers to execute remote code and gain unauthorized access to email traffic. The flaws represent a significant risk for organizations using the platform, as they could enable hackers to compromise the email gateway and intercept sensitive communications. Security researchers recommend that affected users apply patches immediately to protect their mail systems from potential exploitation.

Drupal has announced it will release critical security updates for its core platform on May 20th and is urging website administrators to prepare for immediate patching. The advisory indicates the updates address serious security vulnerabilities, though specific details haven't been disclosed to prevent exploitation before the patches are available. Site owners running Drupal are being advised to ensure they have backup procedures in place and are ready to apply the updates as soon as they're released.

A new phishing technique is exploiting OAuth consent prompts to bypass multi-factor authentication, allowing attackers to gain access to user accounts even when MFA is enabled. Unlike traditional phishing that steals passwords, these attacks trick users into granting malicious applications permission to access their accounts through legitimate-looking authorization requests. Security experts warn that this method is particularly dangerous because it circumvents one of the most widely recommended security protections.

Dark Reading editors reflect on twenty years of cybersecurity evolution, highlighting a persistent paradox in the industry: while organizations rush to adopt cutting-edge technologies like AI and cloud computing, they continue to struggle with basic security fundamentals like strong authentication, timely patching, and network segmentation. The pandemic emerged as a major inflection point that accelerated the shift from controlled on-premise networks to cloud-based infrastructure, dramatically expanding the attack surface with remote work, IoT devices, APIs, and non-human identities. Looking ahead, the editors warn that concepts like least privilege and asset inventory remain underutilized despite being discussed for two decades, and are now exponentially more complex with AI agents and ephemeral systems in the mix.

A critical security flaw in NGINX web servers that went undetected for 16 years is now being actively exploited by hackers just days after patches were released. The vulnerability, dubbed "Nginx Rift," affects millions of internet-exposed servers and can trigger denial-of-service conditions on default installations, while potentially allowing remote code execution on systems without proper security protections. Security researchers warn that while roughly 5.7 million servers are exposed, successful exploitation requires specific configurations, making the truly vulnerable population a smaller subset.

Grafana has confirmed a data breach after hackers compromised a token that gave them access to the company's GitHub environment, allowing them to download source code. The analytics software provider says no customer data or personal information was stolen and they've refused to pay the ransom demanded by the Coinbase Cartel cybercrime group. The gang, which security experts link to ShinyHunters and Scattered Spider, has been conducting a major data theft campaign targeting high-profile companies and currently lists 105 victims on their leak site.