Security news.
Today's security landscape is dominated by active exploitation threats, supply chain attacks, and critical unpatched vulnerabilities. A Microsoft Exchange zero-day is under active attack, Drupal is releasing urgent core security updates tomorrow, and multiple software supply chain campaigns continue targeting developer credentials and CI/CD systems.
Microsoft Exchange Zero-Day Under Active Attack, No Patch Available
CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server, is being actively exploited to compromise Outlook Web Access (OWA) mailboxes with no patch currently available.
Drupal to Release Urgent Core Security Updates on May 20
Drupal maintainers are issuing a critical core security release for all supported branches on May 20, 2026, warning that exploits may be developed within hours or days of release.
OAuth Consent Phishing Bypasses MFA, Compromises 340+ Microsoft 365 Organizations
The EvilTokens phishing-as-a-service platform compromised over 340 Microsoft 365 organizations across five countries by using fake device login pages that bypass multi-factor authentication.
Compromised Nx Console VS Code Extension Steals Developer Credentials
A malicious version of the Nx Console extension (rwl.angular-console v18.95.0) with 2.2 million installations was published to the VS Code Marketplace and used to harvest credentials from developers.
Popular GitHub Action Compromised to Steal CI/CD Credentials
The actions-cool/issues-helper GitHub Action was compromised with all existing tags redirected to malicious commits that harvest API keys, cloud credentials, SSH keys, and tokens from CI/CD pipelines.
Mini Shai-Hulud Worm Compromises @antv npm Packages, Including echarts-for-react
The Mini Shai-Hulud malware campaign has compromised npm packages in the @antv ecosystem, including echarts-for-react which has ~1.1 million weekly downloads, as part of ongoing supply chain attacks.
CISA Contractor Leaked AWS GovCloud Keys and Internal Credentials on GitHub
A CISA contractor's public GitHub repository exposed highly privileged AWS GovCloud credentials and detailed information about CISA's internal software build, test, and deployment processes.
Unpatched ChromaDB Vulnerability Enables Remote Code Execution Without Authentication
A critical, unpatched vulnerability in ChromaDB can be exploited remotely without authentication to execute arbitrary code and leak sensitive information.