Top 5 Cybersecurity News Stories May 22, 2026

This week’s Top 5 Cybersecurity News Stories May 22, 2026 are not a recap. They are a strategic read of where trust is breaking down across the layers organisations have never modelled as attack surface. A Visual Studio Code extension used by developers at GitHub, OpenAI, and Mistral AI. The antivirus engine running on nearly every managed Windows endpoint. The content management system powering government and healthcare portals across Europe. An AI model used not to defend, but to discover and weaponize a previously unknown vulnerability. And a Windows Server buffer overflow from 2008, still reachable, still being actively exploited in 2026.

The common thread across these five stories is not a shared technical class of vulnerability. It is a shared governance assumption: that certain layers of the digital environment are infrastructure by nature and attack surface by exception. This week demonstrated, across five separate incidents, that the assumption is structurally wrong.

1) GitHub, OpenAI, and Mistral AI Breached Through a VS Code Extension That Was Live for 18 Minutes

On May 18, TeamPCP published a malicious version of the Nx Console Visual Studio Code extension to the Visual Studio Marketplace. It remained available for exactly 18 minutes. In that window, it was installed by developers at GitHub, OpenAI, and Mistral AI, delivering a credential stealer that harvested npm tokens, GitHub tokens, AWS credentials, and 1Password vault contents. GitHub confirmed the subsequent exfiltration of approximately 3,800 internal repositories. OpenAI confirmed limited credential compromise from internal source code repositories. Mistral AI confirmed that its npm and PyPI SDKs were trojaned, with its source code now advertised for sale on criminal forums. Separately, on May 19, three malicious versions of Microsoft’s official durabletask Python SDK — downloaded more than 400,000 times monthly — were published to PyPI in a 35-minute window, delivering the same cloud credential-harvesting payload across Azure Durable Functions environments.

The strategic issue is not the brevity of the exposure window. It is where the malicious code landed. GitHub, OpenAI, and Mistral AI are, collectively, the source control infrastructure, the model research platform, and the developer SDK layer for a significant share of the global AI and software development ecosystem. Every internal design document, every training pipeline credential, every API key now in criminal hands represents a secondary exposure that the breached organisations cannot fully map. The durabletask compromise extends this into Azure cloud environments where the SDK orchestrates production workflows. This is TeamPCP’s ninth confirmed supply chain attack since January 2026. Each successive wave has escalated the trust tier of the infrastructure targeted — from open-source registries to the codebases of the organisations that build the tools the registries depend on.

Read more on: BleepingComputer

2) Google GTIG Confirms the First AI-Generated Zero-Day Exploit Caught in Active Use

Google’s Threat Intelligence Group published this week its documentation of the first confirmed AI-developed zero-day exploit observed in an active exploitation campaign. The target was Webmin, a widely deployed open-source web administration tool used by millions of Linux server administrators. The exploit — a Python script enabling a complete bypass of Webmin’s two-factor authentication — carried the structural markers characteristic of LLM-generated code: extensive educational docstrings, a hallucinated CVSS score assigned to a vulnerability that had not previously been given a CVE number, and a textbook Pythonic structure consistent with AI training data. GTIG assesses with high confidence that the threat actor used an AI model to analyse Webmin’s source code, identify a hard-coded trust assumption in its 2FA implementation where developer intent diverged from actual execution, and generate a functional proof-of-concept exploit. Google coordinated disclosure with Webmin’s maintainers, and the vulnerability was patched before broader exploitation began.

The boundary crossed this week is precise: AI was demonstrably used to complete the full zero-day workflow — discovery, analysis, weaponization — on production software, at a speed and semantic depth that previously required experienced security researchers. The class of flaw identified — a hard-coded trust assumption where intent diverges from implementation — is exactly the type that LLMs are structurally well-suited to find, because they process code the way developers write it: understanding intent, not just syntax. That capability is now available to any actor with access to a capable model and the target system’s source code or documentation. GTIG’s broader report documents a systematic transition across state-linked and criminal groups from experimental AI-assisted operations to operational deployment. The first AI-generated zero-day is a data point in a trajectory, not an isolated event. The question organisations should be asking is not whether this has happened. It has. The question is how their vulnerability management timelines were calibrated against the assumption that attacker research requires human researchers.

Read more on: The Hacker News

3) Microsoft Defender Is Being Actively Exploited — for the Second Time in Three Weeks

Microsoft confirmed this week that two Defender vulnerabilities, both added to CISA’s Known Exploited Vulnerabilities catalogue on May 20, are being actively exploited in the wild. CVE-2026-41091, the more critical of the two, allows a local attacker to gain SYSTEM-level privileges by exploiting a symbolic link resolution flaw in the Microsoft Malware Protection Engine. When Defender processes a file via a symbolic link during a scan, it fails to validate the target path before acting on it — enabling privilege escalation from a standard user account to SYSTEM without any additional authentication or exploitation of other components. CVE-2026-45498 separately enables a denial-of-service condition against the same engine. Both were patched in Malware Protection Engine version 1.1.26040.8. Federal agencies face a CISA remediation deadline of June 3.

CVE-2026-41091 is the second actively exploited Microsoft Defender zero-day confirmed in attacks within three weeks, following the BlueHammer flaw (CVE-2026-33825) patched in late April. The structural explanation for this pattern is not product quality. It is operational architecture. Defender must, by design, reach into running processes, scan privileged file paths, and interact with kernel-level components to perform its function. That requirement creates an attack surface that is inherently broad and highly privileged. A symbolic link flaw at that layer delivers SYSTEM access without touching any user-facing code. Defender runs on nearly every managed Windows endpoint by default, operates with elevated system trust, and is frequently excluded from third-party monitoring coverage by policy or configuration. Attackers have identified that specific combination — ubiquitous deployment, high system privilege, limited external visibility — as a reliable privilege escalation path. Two exploited zero-days in three weeks is the confirmation of that calculation, not an anomaly.

Read more on: The Hacker News

4) Drupal’s Emergency Patch: No Authentication, Full Data Access, Government Infrastructure in the Window

On May 20, the Drupal Security Team released an emergency patch for a vulnerability rated “highly critical” at 20 out of 25 on Drupal’s published scoring model, announced in advance as PSA-2026-05-18 and catalogued as SA-CORE-2026-004. The vulnerability allows any unauthenticated attacker with network access to read and modify all non-public data on affected Drupal installations — including user records, private content, and administrative configurations — with Access Complexity of None and no Authentication required. Affected versions include Drupal 10.5.x, 10.6.x, 11.2.x, and 11.3.x. The Drupal Security Team explicitly warned that exploit code could be developed within hours of the patch release and described the scoring profile as closely paralleling the 2018 Drupalgeddon2 flaw, which triggered one of the fastest and most widespread mass-exploitation campaigns ever directed at a content management system.

The strategic dimension of this vulnerability is its target population. Drupal is the content management infrastructure of choice for government ministries, federal agencies, public universities, national research institutions, and healthcare organisations across Europe. A no-authentication full-read-write vulnerability in Drupal is, in operational terms, a no-authentication full-read-write vulnerability in the citizen-facing data layer of a significant portion of European public sector digital infrastructure. The timing compounds the exposure: organisations in the affected sectors are simultaneously under active NIS2 compliance pressure, meaning that a successful exploitation event carries direct regulatory accountability for management under the personal liability provisions that took effect in Germany in May 2026. Many Drupal installations in these sectors are managed by third-party agencies or academic IT departments where patch deployment timelines are measured in weeks rather than hours. The Drupalgeddon2 reference the security community has drawn is not alarmist. In 2018, automated scanners identified and began exploiting vulnerable Drupal installations within 24 hours of the patch release. The patch window for this vulnerability should be measured in hours.

Read more on: Drupal.org

5) CISA Adds 2008–2010 Era CVEs to Its Exploited Catalogue. Someone Is Still Reaching Those Systems.

On May 20, CISA added seven vulnerabilities to its Known Exploited Vulnerabilities catalogue, five of which were publicly disclosed between 2008 and 2010. The legacy entries include CVE-2008-4250, a buffer overflow in Windows Server 2003 and Windows XP rated CVSS 10.0; CVE-2009-1537, a NULL byte overwrite in Microsoft DirectX; CVE-2009-3459, a heap-based buffer overflow in Adobe Acrobat and Reader; and CVE-2010-0249 and CVE-2010-0806, two Internet Explorer use-after-free vulnerabilities. CISA adds vulnerabilities to the KEV catalogue only when there is confirmed evidence of active exploitation. All five legacy entries were added on that basis: in 2026, sixteen to eighteen years after public disclosure and the availability of patches, these vulnerabilities are being used in active attacks against real systems.

The only systems where a 2008 Windows Server buffer overflow remains exploitable in 2026 are systems that have not been patched or replaced in sixteen years. That population is larger than most security programs account for. It includes embedded industrial and building management devices whose vendors no longer exist. It includes medical and laboratory equipment running Windows XP where software replacement requires regulatory recertification and planned clinical downtime. It includes vendor-managed appliances — badge readers, HVAC controllers, kiosk systems — where the organisation does not have administrative access to the underlying operating system. It includes OT environments where “offline” or “air-gapped” was assumed to mean protected, until a lateral movement path connected them to something that was not. CISA adding 2008-era vulnerabilities to its actively-exploited catalogue in 2026 means that threat actors are actively scanning for and reaching these conditions today — not as historical curiosities, but as operational access vectors. The governance question this raises for decision-makers is not whether their known, managed assets are patched. It is whether they have an accurate and complete inventory of what is actually connected to their network.

Read more on: CISA

If this week tells us anything, it’s this:

The five stories in this week’s Cybersecurity News Stories May 22, 2026 share a structural characteristic that the technical detail of each incident tends to obscure. Every one of them targeted something organisations treat as infrastructure rather than attack surface. The developer toolchain — the IDE extensions, the SDK packages, the source code repositories — is infrastructure. Microsoft Defender is infrastructure. Drupal is infrastructure for the public sector organisations that run their citizen services on it. A 2008 Windows Server buffer overflow is infrastructure in the sense that it still runs, somewhere, connected to something that matters. And AI is now operational infrastructure for attackers in the same way it is becoming operational infrastructure for defenders — but the deployment timeline on the attacker side is moving faster.

The common governance failure these stories expose is not that organisations lack security controls. It is that the threat models underlying those controls were not designed to account for these layers. Developer tooling was trusted by default. Security software was modelled as a control, not a potential target. Public sector web infrastructure was considered hardened by procurement governance. Legacy devices were assumed to be isolated, irrelevant, or someone else’s responsibility. AI was assumed to be a capability advantage that defenders would reach first. Five incidents in one week demonstrated, with precision, that each of those assumptions is incorrect. The attack surface does not end at the perimeter. In 2026, it includes the tools used to build the perimeter, the software used to defend it, the platforms used to run public services on it, and the systems that were forgotten long before the perimeter was even defined.

For more information, please contact us now!