Last month, the places we tend to trust in modern software, like package registries, source-code platforms, the open-source supply chains, became the places attackers fought hardest to control. Supply-chain compromise was gamified for cash prizes. A hacker crew walked off with thousands of private GitHub repositories. A self-replicating worm was handed out for free. And in a fitting twist, even one of ransomware’s seemingly most disciplined operations got breached. May 2026 was defined by a single theme: the open-source ecosystem turning into a cybercrime playground, with defenders left navigating a threat landscape where the rules keep changing.
May at a Glance
The TeamPCP group launched an organized “Supply Chain Competition” on BreachForums, offering $1,000 in Monero to whoever could poison the most widely downloaded packages using Shai-Hulud, with scoring based on download counts, effectively incentivizing attacks on the most popular libraries. Days later, the group compromised a GitHub employee’s device via a malicious VS Code extension and exfiltrated roughly 3,800 of GitHub’s internal repositories, listing them for sale at $50,000+.
Beyond the supply chain, the Russian state-sponsored group Sandworm continued its pivot from IT networks into critical operational technology, and data showed defenders had 43 days of warning signs before lateral movement began. On the vulnerability front, researchers disclosed Copy Fail (CVE-2026-31431), described as a severe Linux privilege-escalation flaw, which CISA added to its KEV catalog almost immediately. Ransomware reports kept a relentless pace with 704 claimed victims for the month.
Ransomware Landscape Snapshot
May saw 704 total claimed ransomware victims across all active groups. The United States remained the most targeted country, and Business Services the most targeted sector, a departure from previous months where manufacturing was a favorite target. Qilin dominated by a wide margin, while The Gentlemen held second place — notable given that, by month’s end, the group would suffer a very public breach of its own (more on that below).
Top 10 Groups by Claimed Victims:
- Qilin — 110
- The Gentlemen — 77
- DragonForce — 55
- Akira — 31
- IncRansom — 29
- Nova — 25
- FulcrumSec — 23
- SafePay — 22
- Genesis — 21
- CmdOrganization — 16
Notable Incidents This Month
Foxconn Ransomware Attack. The world’s largest electronics manufacturer confirmed a cyberattack that temporarily disrupted several North American facilities. The Nitrogen ransomware gang claimed responsibility, stating it exfiltrated 8 terabytes of data across more than 11 million files — including confidential technical drawings and schematics tied to major clients such as Apple, Nvidia, Intel, and Google. Nitrogen, operating since 2023 on leaked Conti 2 source code, is using the theft for double extortion.
Zara Data Breach. Fashion retailer Zara suffered a breach exposing the personal information of 197,400 customers, including email addresses, geographic locations, purchase data, and customer support tickets. The breach was carried out by the ShinyHunters extortion group as part of a broader campaign exploiting compromised Anodot analytics platform authentication tokens to access cloud data belonging to multiple companies. ShinyHunters set an April deadline for Inditex to make contact, threatening to publish the data if no agreement was reached; when the deadline passed, the data was published. Inditex confirmed the compromised databases did not contain names, phone numbers, addresses, passwords, or payment information.
CISA Contractor Exposes AWS GovCloud Keys. A Nightwing contractor maintained a public GitHub repository called “Private-CISA” containing AWS GovCloud keys, plaintext passwords, and internal CISA credentials for six months before a GitGuardian researcher discovered it on May 14. The repository contained files detailing how CISA builds, tests, and deploys software internally. The contractor had disabled GitHub’s default setting that blocks users from publishing SSH keys or other secrets in public repositories. CISA took the repository offline after being notified and stated there is currently no evidence of active exploitation, while noting additional safeguards are being implemented. The exposed credentials reportedly remained valid for an additional 48 hours after the repository came down.
The “fast16” Reveal. A historical analysis surfaced “fast16,” a Lua-based malware from 2005 that predates Stuxnet. Purpose-built to covertly tamper with nuclear weapons testing, it manipulated high-explosive detonation simulations and used over 100 rules to survive software updates. Fast16 stands as the first operation of its kind, and its discovery forces a re-evaluation of how long state-backed cyber sabotage against physical targets has been operational.
The underground turns on itself, again.
The Gentlemen, a fast-rising RaaS group that has made our top 10 list of most active threat actor groups throughout 2026, had its own backend breached in May, with internal chat logs, affiliate rosters, and negotiation records dumped across underground forums for rivals and defenders alike to dissect. The leak exposed an operation far smaller and more fragile than its reputation suggested, and suggested that these groups are not immune to the same sloppy practices these groups look to exploit. In April, we watched a similar situation play out with Kybit and 0APT, with rival crews burning each other’s infrastructure and airing each other’s secrets. Cybercrime’s growing instability is becoming a feature of the threat landscape, with ego, money, and power fracturing already volatile and fragmented collectives. For defenders, each of these feuds is a rare intelligence windfall, and a welcome bit of schadenfreude.
Critical Vulnerabilities Requiring Immediate Action
- CVE-2026-20182: Cisco Catalyst SD-WAN — Authentication bypass granting admin privileges. CVSS 10.0. Upgrade to fixed versions (20.18.2.2 / 26.1.1.1 or later).
- CVE-2026-0300: Palo Alto PAN-OS — Unauthenticated RCE with root privileges via the User-ID Authentication Portal. CVSS 9.8. Upgrade or restrict portal access.
- CVE-2026-41096: Microsoft Windows DNS — Heap-based buffer overflow enabling RCE via crafted DNS responses. CVSS 9.8. Install May 2026 security updates.
- CVE-2026-41089: Windows Netlogon — Stack-based buffer overflow enabling RCE on a domain controller. CVSS 9.8. Apply May 2026 patches.
- CVE-2026-44277: Fortinet FortiAuthenticator — Improper access control allowing unauthenticated code execution. CVSS 9.8. Upgrade to 6.5.7 / 6.6.9 / 8.0.3 or above.
- CVE-2026-9082: Drupal — SQL injection on PostgreSQL-backed sites. CVSS 9.8. Update to the patched releases for Drupal 10/11.
Lessons Learned
May reinforced themes that we’ve seen play out throughout 2026. First, supply-chain trust is being actively monetized, with attackers building economies around poisoning the packages and platforms everyone depends on. Second, “routine” alerts are anything but: Sandworm sat on compromised OT-adjacent systems that generated high-confidence alerts for an average of 43 days before moving laterally. And third, the criminal underground is increasingly unstable, when even a well-run RaaS operation can be turned inside out, it’s a reminder that the same hygiene failures attackers exploit will eventually catch up with them.
This overview only scratches the surface. Download the full May 2026 Cyber Threat Intelligence Report for the complete incident analysis, all critical CVEs, the full ransomware breakdown, deep technical analysis of Copy Fail and M3RX ransomware, and the inside story on The Gentlemen.