Several Laravel-Lang PHP packages were compromised in a supply chain attack that delivered a cross-platform credential stealer to developers. The malicious packages, which are commonly used for language localization in Laravel applications, were modified to steal sensitive credentials from infected systems. This latest incident highlights the ongoing security risks in open-source software repositories where attackers target popular packages to distribute malware to large numbers of developers and their applications.

Anthropic's Claude Mythos AI has discovered ten thousand high-severity security vulnerabilities in widely used software, demonstrating AI's growing capability in automated security research. The discovery highlights how artificial intelligence is fundamentally changing the cybersecurity landscape, both for defenders who can now scan code at unprecedented scale and for attackers who can potentially exploit vulnerabilities faster than human security teams can respond. This development comes as industry experts warn that AI is compressing the window for human intervention in security incidents.

Grafana has confirmed that hackers stole its codebase and internal business data through the TanStack supply chain attack after failing to revoke one GitHub workflow token. The company detected the breach on May 11th, received a ransom demand five days later which it refused to pay, and says no customer production systems or the Grafana Cloud platform were affected. While the attackers accessed public and private source code plus internal repositories containing business contact information, Grafana emphasizes the code was not modified and no action is required from customers or open source users.

Trend Micro has patched a zero-day vulnerability in its Apex One security software that was actively exploited in the wild by suspected nation-state hackers. The flaw, tracked as CVE-2026-34926, allows attackers with local access and admin credentials to inject malicious code into on-premises Apex One servers, pushing it out to connected agents. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch systems by June 4th.

International law enforcement has disrupted First VPN, a cybercrime service operating since 2014 that provided anonymization tools used by at least 25 ransomware groups and other cybercriminals. Authorities seized 33 servers across 27 countries, arrested the alleged administrator in Ukraine, and identified 506 users whose information has been shared internationally for potential prosecution. The operation underscores that even services promising complete anonymity to criminals remain vulnerable to law enforcement takedowns.

The US Justice Department announced the arrest of Jacob Butler, a 23-year-old Canadian man accused of operating the Kimwolf botnet, which infected approximately 2 million devices and was linked to a record-breaking distributed denial of service attack that peaked at over 31 terabytes per second. Butler, who went by the online name "Dort," was arrested in Canada and faces extradition to the US, where he could receive up to 10 years in prison if convicted of aiding and abetting computer intrusion. The arrest coincides with seizures targeting 45 DDoS-for-hire platforms, part of a broader law enforcement operation that previously disrupted the botnet infrastructure in March.

Canadian authorities have arrested the alleged operator of the Kimwolf DDoS botnet, who is accused of running a DDoS-for-hire service. The arrest marks another enforcement action against so-called "booter" or "stresser" services that allow users to launch distributed denial-of-service attacks against websites and online services. DDoS-for-hire operations have become a persistent problem in cybersecurity, as they lower the barrier for launching disruptive attacks by making the tools available to anyone willing to pay.

A new research perspective reveals how attackers can exploit vulnerable drivers without needing specific hardware conditions, challenging previous assumptions about BYOVD attacks. The technique, known as "Bring Your Own Vulnerable Driver," allows threat actors to bypass security measures by loading legitimate but flawed drivers that grant them kernel-level access to systems. This finding expands the attack surface significantly, as it eliminates hardware dependencies that previously limited the scope of these exploits.

A massive cyberattack dubbed "Megalodon" has compromised over 5,500 GitHub repositories by exploiting CI/CD workflows to inject malicious code. The attack targets the software development pipeline, allowing hackers to potentially spread malware through continuous integration and deployment systems that automatically build and release software. Security researchers are warning developers to carefully review their GitHub workflow configurations and implement stronger access controls to prevent similar supply chain attacks.

A Chinese hacking group called Webworm has shifted its focus from Asia to European government targets in Belgium, Italy, Serbia, Spain, and Poland, using unconventional command-and-control methods through Discord, Microsoft Graph API, and GitHub repositories. Security researchers at ESET found the group has evolved from using well-known malware to deploying stealthier proxy tools and custom backdoors that leverage popular platforms to avoid detection. Organizations are urged to patch vulnerabilities, monitor unusual communications to services like Discord and Microsoft Graph, and watch for abnormal data transfers that fall outside standard workflows.