Dutch authorities have dismantled a botnet comprising at least 17 million infected devices, including computers, smartphones, tablets, and IoT devices.

More than 200 servers in the Netherlands supported the operation. Police seized a subset of the infrastructure, and the hosting provider subsequently took the network offline.

Read: https://thehackernews.com/2026/05/dutch-authorities-dismantle-botnet.html

⚠️ Attackers used an LLM agent for post-exploitation after breaching a public Marimo notebook via CVE-2026-39987, a pre-auth RCE flaw affecting versions ≤0.20.4.

The intrusion stole cloud credentials, retrieved an SSH key from AWS Secrets Manager, and exfiltrated a PostgreSQL database via eight SSH sessions in under two minutes.

Full report: https://thehackernews.com/2026/05/attackers-use-llm-agent-for-post.html

⚠️ A new technique called "ChatGPhish" turns OpenAI’s ChatGPT into a #phishing tool.

No special prompt required... simply summarizing a malicious web page can cause #ChatGPT to display phishing links, fake security alerts, QR codes, and attacker-hosted images in its trusted interface.

Full story: https://thehackernews.com/2026/05/chatgphish-vulnerability-turns-chatgpt.html

⚠️ Two new #Android NFC relay malware families — DevilNFC and NFCMultiPay — are targeting banking customers in Europe and Latin America.

These tools, developed with possible AI assistance, steal card PINs. DevilNFC even locks victims in a fake interface using Kiosk Mode while relaying card data.

Local threat actors are now building their own tools instead of relying on Chinese MaaS platforms.

Read this story: https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html#:~:text=DevilNFC%20and%20NFCMultiPay%20Android%20NFC%20Relay%20Malware

⚠️ Enterprise AI risk is heavily concentrated among a small group of power users and personal accounts.

LayerX Security’s 2026 report shows the top 5% of employees generate 144+ conversations each. Nearly half of all enterprise AI conversations use personal identities. Over 6% contain sensitive data.

Most organizations lack full visibility.

Full report: https://thehackernews.com/2026/05/new-ai-usage-report-enterprise-ai-risk.html

🚨 Lazarus deployed a new memory-only RAT against crypto and financial organizations.

https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html

The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hell’s Gate techniques to evade detection and maintain stealthy access.

🚨 TrapDoor supply chain attack hits npm, PyPI, and Crates-io.

https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html

34 malicious packages across 384 versions were used to steal crypto wallets, SSH keys, cloud credentials, and developer secrets from crypto, DeFi, Solana, and AI environments.

The malware abused npm hooks, Python imports, and Rust build scripts for execution and persistence.

Ghostwriter is phishing Ukraine’s government with Prometheus-themed malware lures.

https://thehackernews.com/2026/05/ghostwriter-targets-ukraine-government.html

Compromised-account emails deliver PDF links that lead to ZIP-based JavaScript malware: OYSTERFRESH → OYSTERBLUES/OYSTERSHUCK.

Cobalt Strike is assessed as the final payload.

🚨 Anthropic’s Claude Mythos Preview found 10,000+ severe software flaws in one month.

https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html

The AI uncovered high- or critical-severity vulnerabilities across widely used software, including 1,726 confirmed flaws and 1,094 rated high or critical severity.

The findings have already led to 97 patches and 88 advisories.

One flaw, CVE-2026-5194 in WolfSSL, could allow certificate forgery.