Security news.
Today's cybersecurity news highlights critical vulnerabilities and ongoing supply chain attacks. Drupal is set to patch a highly critical vulnerability, while new waves of malware are compromising npm packages and targeting macOS users. Additionally, a CISA contractor's leaked AWS GovCloud keys underscore persistent issues with fundamental security hygiene.
Microsoft Exchange Zero-Day Under Active Attack
A cross-site scripting (XSS) vulnerability, CVE-2026-42897, in Microsoft Exchange is being actively exploited to compromise Outlook Web Access (OWA) mailboxes, with no patch currently available.
Drupal to Patch Highly Critical Vulnerability
Drupal will release an urgent core security update on May 20th for a highly critical vulnerability that attackers could exploit within hours or days.
CISA Contractor Leaked AWS GovCloud Keys on GitHub
A CISA contractor publicly exposed credentials to highly privileged AWS GovCloud accounts and internal CISA systems via a GitHub repository, revealing details on CISA's software development.
New Shai-Hulud Malware Wave Hits 600 npm Packages
Threat actors have published over 600 malicious packages to the npm index as part of a new Shai-Hulud supply-chain campaign, with a "Mini Shai-Hulud" variant also compromising @antv ecosystem packages.
Microsoft Self-Service Password Reset Abused in Azure Data Theft
A threat actor is exploiting Microsoft 365 and Azure production environments, abusing legitimate applications and administration features, including Self-Service Password Reset, to steal data.
SHub Reaper Stealer Backdoors macOS
The SHub Reaper stealer is now spoofing Google, Microsoft, and Apple services, hiding behind fake WeChat and Miro installers to execute Apple script-based backdoors on macOS.
PoC Released for DirtyDecrypt Linux Kernel LPE Vulnerability
Proof-of-concept exploit code has been released for DirtyDecrypt (CVE-2026-31635), a recently patched Linux kernel flaw allowing local privilege escalation to root.
Unpatched ChromaDB Vulnerability Can Lead to Server Takeover
A critical, unpatched vulnerability in ChromaDB allows unauthenticated remote attackers to execute arbitrary code and leak sensitive information, potentially leading to a complete server takeover.