On March 11, 2026, this blog published "Scott's Tots: Michael Dell Promised 25 Million Kids $250 and a Dream." The post mapped Michael and Susan Dell's December 2025 pledge of $6.25 billion to fund Trump Accounts — a federal savings program for newborns — onto the architecture of Season 6 Episode 12 of The Office, where Michael Scott returns to a class of high-school seniors he had ten years earlier promised college tuition. Scott couldn't pay. He brought laptop batteries. Th

Yesterday we wrote a commentary on the Microsoft Security Response Center blog from May 27 that complained about uncoordinated zero-day disclosures and threatened Digital Crimes Unit pursuit of researchers and "those that enable their criminal activity." We landed inside the blast radius of that framing on purpose, because the alternative was letting a platform-vendor blog chill independent threat-intelligence reporting. The post was directionally right and underweighted on o

Trellix had source code in RansomHouse hands in May 2026. Checkmarx had source code in LAPSUS$ hands in April 2026. We wrote about both yesterday in the "Security Vendor Industry Is The Soft Surface" frame. Okta belongs in the same conversation. Okta has been breached three distinct times through three distinct trust paths, and all three trust paths are inside the identity-surface vertical Okta exists to defend. The pattern is not a coincidence and not a one-time misfortune.

ShinyHunters is the dominant criminal pool of 2026 by victim count, blast radius, and brand recognition. The May 2026 ledger of confirmed ShinyHunters-attributed breaches against publicly-named victims is the receipt that closes the question of who holds the criminal-pool throne for the year. Five major brands in thirty days, plus three more earlier in 2026, plus the operator constellation Patrick Duggan and Paul Galjan have been tracking under the "Coinbase Cartel" frame acr

Trellix confirmed on May 8, 2026 that the ransomware-extortion group RansomHouse compromised the company's source code repositories. The disclosure was accompanied by "proof of intrusion" images RansomHouse posted on their leak site. Checkmarx confirmed on April 28, 2026 that LAPSUS$ stole data from the company's private GitHub repository. Both companies are tier-one cybersecurity vendors. Both vendors sell defensive products explicitly marketed as protection against the exac

California Attorney General Rob Bonta filed suit on May 28, 2026 against Chrome Holding Co., the corporate entity formerly known as 23andMe, alleging that the company's 2023 data breach was the result of basic, well-known security failures that the company explicitly knew about and chose not to address. The complaint alleges violations of the California Genetic Information Privacy Act, the California Reasonable Data Security Law, the California False Advertising Law, the Unfa

Microsoft's Security Response Center published a blog on May 27, 2026 complaining that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The MSRC post asserts the disclosures put customers at "unnecessary risk" and that Microsoft's Digital Crimes Unit will pursue cases against the researchers and "those that enable their criminal activity." We published a

We filed three Russia-Ukraine cyber archetypes into our adversaries index earlier today — GREYVIBE, UAC-0098, and Ember Bear — completing a structural triangle that describes Russia-aligned cyber operations from 2020 to 2026. The triangle is the receipt of how the criminal-pool talent reservoir applied informed acceleration without ethical brakes across one geopolitical theater. Tonight we file a fourth actor that completes the broader geopolitical grid: Silver Fox, the China

The Microsoft Security Response Center published a blog on May 27, 2026 titled "A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure." The post complains that several zero-day vulnerabilities — RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma — were disclosed publicly without prior coordination with Microsoft. The post then makes a claim that needs to be quoted verbatim because the framing is the story: "Uncoordinated

This is the eighth post we have published today. The other seven covered specific incidents, specific actors, specific receipts. This one is the synthesis. After sixty days of reading public threat-intelligence disclosures, ingesting their indicators-of-compromise packs into a four-hundred-forty-index Meilisearch corpus, cross-correlating against ICIJ offshore-leaks data and our own block-events history, and writing the daily receipts of what we found, five patterns have ripe

Socket Research published a writeup this week on a malicious NuGet package named Sicoob.Sdk that impersonated the official C# SDK for Sicoob, the Brazilian cooperative-banking network that handles savings, Pix instant payments, Open Finance integrations, and Boleto payment slips for millions of Brazilian consumers and small businesses. The package shipped versions 2.0.0 through 2.0.4 between May 5 and May 6, 2026. Total downloads: four hundred eighty-four. Small N. Each victi

This morning we filed the GREYVIBE adversary profile after WithSecure's disclosure. Five campaigns. Three malware families. Four custom obfuscators. The first publicly-attributed operator group whose malware toolkit was visibly built with ChatGPT, Ideogram, and Gemini as a coordinated multimodal production pipeline. That post covered what they are. This one covers what they mean. The synthesis takes a different shape than the introduction because the answer is not in the camp

WithSecure published a comprehensive disclosure today on a previously undocumented Russia-linked threat actor they have been tracking since January 2026 under the name GREYVIBE. The disclosure landed in dual-source coverage at BleepingComputer and The Hacker News with the substantive technical detail and the indicator-of-compromise pack hosted on GitHub. The group is conducting persistent cyberespionage operations against Ukrainian military, government, civilian, and corporat

The Hacker News reported yesterday on a tradecraft expansion by Kimsuky, the North Korean state-sponsored espionage actor we already track in our adversaries index under the synonyms Velvet Chollima, Black Banshee, Thallium, and Operation Stolen Pencil. The expansion has three named components. A new malware family called HTTPSpy is now the primary tool against South Korean military and corporate targets. A backdoor called HelloDoor has been added to the persistence stack. An

This week the two largest perimeter vendors in enterprise security each shipped a vulnerability that turns their own product into the breach. Fortinet patched CVE-2026-35616, a pre-authentication API access bypass in FortiClient EMS scoring a 9.1 critical, which the discoverers at Defused Cyber observed under active zero-day exploitation since early April 2026 — roughly two months before the public advisory. Palo Alto Networks updated their advisory for CVE-2026-0257, a Globa

Sixteen days ago we published a post titled "Your Lovable App Is a Spreadsheet. Mine Has Crons." The thesis was that the AI development economy in 2026 has produced an enormous population of demos that the demo authors believe are products, that the production loop — telemetry, regressions, runbooks, paying customers who would notice if the cron missed at three in the morning — does not exist inside a Lovable preview pane, and that the hackathon-class output is going to land

This morning HoneyLabs published a back-end mapping of a botnet that has been quietly earning rent for almost five years. They never named the malware family. They never had to. Their methodology was the point. They pulled next-stage URLs out of dropper binaries, clustered the delivering nodes by JA4 and JA4H and HASSH fingerprints, and walked the chain back from the noise at the perimeter to the eight staging servers that actually run the campaign. The data shape is one thou

Akira posted two victims to its leak site today. GS Yuasa Lithium Power is the Japanese global battery and lithium-ion manufacturer whose batteries powered the original Boeing 787 Dreamliner installations and now power major automotive electrification programs at Honda and Mitsubishi, industrial backup-power systems, and renewable-energy storage deployments across multiple continents. Alpine Aerotech is a Canadian aerospace MRO provider specializing in helicopter dynamic comp

ShinyHunters posted Carnival Cruise to the Trinity of Chaos leak site this afternoon with a claim of approximately six million customer records. Carnival is the fourth major-vertical victim the Coinbase Cartel confederation has posted in an eight-day window. The four are Canvas Instructure on May 22 with three-and-a-half terabytes of education-sector data, DentaQuest on May 23 with a small initial-claim of seven-hundred-forty-four user records that is almost certainly underst

TridentLocker posted the World Trade Center Health Program to its leak site today. The program enrolls approximately 130,000 first responders and survivors of the 9/11 attacks under the Zadroga Act and provides federally-administered medical monitoring and treatment for exposure-related illnesses — respiratory disease, cancers documented to be related to WTC dust exposure, mental health diagnoses tied to post-traumatic stress from the events themselves. The dataset is the kin