Welcome to TheCyberThrone cybersecurity month in review will be posted covering the important security happenings. This review is for the month ending May 2026.
Subscribers favorite #1
PyTorch Lightning Poisoned — Mini Shai-Hulud Worm Crosses Into the AI/ML Supply Chain
The lightning package on PyPI — the high-level PyTorch framework powering ML training pipelines globally — was compromised in an active supply chain attack on April 30, 2026. Versions 2.6.2 and 2.6.3 were flagged as malicious by Socket, Aikido Security, OX Security, and StepSecurity, with version 2.6.1 remaining the last clean baseline. The post details a precision strike at the AI development ecosystem — an import-time execution multi-stage payload. When Socket raised a disclosure issue, the compromised GitHub account closed it within a minute and posted a mocking meme — indicating this wasn’t opportunistic but a deliberate, coordinated operation consistent with Team PCP’s escalating open-source supply chain campaign, which previously hit LiteLLM, Telnyx, Bitwarden CLI, and Xinference. Remediation guidance includes downgrading to 2.6.1, rotating all credentials, and auditing CI/CD pipelines…..
Subscribers favorite #2
CVE-2026-45659 — Microsoft SharePoint RCE
Deserialization of untrusted data in Microsoft Office SharePoint allows an authenticated attacker to execute code remotely over a network. Any authenticated attacker with a minimum of Site Member permissions (PR:L) can trigger it — no administrator privileges required…..
Subscribers favorite #3
Nitrogen Ransomware — Foxconn Breach
On May 11, 2026, the Nitrogen ransomware group claimed to have stolen 8 terabytes of data from Foxconn’s Mount Pleasant, Wisconsin facility — over 11 million files including assembly instructions, data center topology diagrams for Google and Intel, and hardware schematics linked to Apple, NVIDIA, and Dell. Foxconn confirmed the attack but described it only as a “technical issue affecting IT systems” — they did not confirm ransomware, data theft, or any ransom demand. The affected factories resumed normal production….
Subscribers favorite #4
Fox Tempest Takedown — Microsoft DCU Dismantles Malware-Signing Service Operation
Microsoft’s Digital Crimes Unit (DCU) took down the infrastructure of Fox Tempest, a financially motivated threat actor active since at least May 2025. The group operated “upstream in the malware and ransomware supply chain” — not conducting attacks directly, but selling a malware-signing-as-a-service (MSaaS) offering that allowed cybercriminals to disguise malware as legitimate, trusted software…..
Subscribers favorite #5
Mini Shai-Hulud: SAP’s npm Pipeline Poisoned to Drain Enterprise Secrets
Four packages from SAP’s Cloud Application Programming Model (CAP) toolchain were poisoned: @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt — the Cloud MTA Build Tool. All four carry roughly 570,000 combined weekly downloads and sit inside enterprise SAP CI/CD pipelines touching production cloud infrastructure….
This brings the end of this month in review security coverage. Thanks for visiting TheCyberThrone. If you like us, please follow us on Facebook, Twitter, Instagram
