Weekly Threat Intelligence Summary

Top 10 General Cyber Threats

Generated 2026-05-18T05:00:05.637911+00:00

1. Defending Against China-Nexus Covert Networks of Compromised Devices (www.cisa.gov, 2026-04-21T15:12:37)
   Score: 13.071
   Defending against china-nexus covert networks of compromised devices executive summary Defending against China-nexus covert networks of compromised devices Explaining the widespread shift in tactics, techniques and procedures (TTPs) towards networks of compromised infrastructure, and how to defend against it Summary With support from the UK Cyber League , this advisory has been jointly released by the National Cyber Security Centre (NCSC-UK) and international partners: Australian Signals Directo
2. May 2026 Patch Tuesday: no zero-days but plenty to fix (www.malwarebytes.com, 2026-05-13T11:00:45)
   Score: 8.408
   May’s Patch Tuesday may not be the giant release many expected, but there are still plenty of important fixes that shouldn’t be ignored.
3. Attackers replaced JDownloader installer downloads with malware (www.malwarebytes.com, 2026-05-15T12:45:47)
   Score: 7.754
   The JDownloader website was compromised and installer download links served malware for several days.
4. Why Malwarebytes blocks some Yahoo Mail redirects (www.malwarebytes.com, 2026-05-14T10:47:52)
   Score: 7.574
   Some Yahoo Mail users may see repeated Malwarebytes alerts caused by background connections to suspicious third-party domains. Here’s why.
5. NIST NVD Enrichment Policy Change: Prioritizing Vulnerabilities with Attacker Behavior Signals (www.recordedfuture.com, 2026-05-14T00:00:00)
   Score: 7.499
   NVD enrichment now covers only 15–20% of CVEs. Learn how Recorded Future Vulnerability Intelligence prioritizes risk using real attacker behavior signals.
6. April 2026 CVE Landscape (www.recordedfuture.com, 2026-05-15T00:00:00)
   Score: 7.465
   In April 2026, Insikt Group® identified 37 high-impact vulnerabilities that should be prioritized for remediation, 35 of which had a Very Critical Recorded Future Risk Score. This represents a 19% increase from last month.
7. Threat Activity Enablers: The Backbone of Today’s Threat Landscape (www.recordedfuture.com, 2026-05-06T00:00:00)
   Score: 7.165
   Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center.
8. May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs (www.crowdstrike.com, 2026-05-12T05:00:00)
   Score: 6.7
9. AI is distorting the Holocaust (Lock and Code S07E10) (www.malwarebytes.com, 2026-05-18T01:51:37)
   Score: 6.178
   This week on the Lock and Code podcast, we speak with Clara Mansfeld about how AI-generated imagery is warping the history of the Holocaust.
10. Update WhatsApp now: Two new flaws could expose you to malicious files (www.malwarebytes.com, 2026-05-05T11:39:11)
    Score: 6.08
    WhatsApp patches flaws that could expose users to malicious content and disguised malware.

Top 10 AI / LLM-Related Threats

Generated 2026-05-18T06:00:20.623694+00:00

1. GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access (cloud.google.com, 2026-05-11T14:00:00)
   Score: 44.413
   Executive Summary Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sop
2. Compositional Jailbreaking: An Empirical Analysis of Mutator Chain Interactions in Aligned LLMs (arxiv.org, 2026-05-18T04:00:00)
   Score: 20.28
   arXiv:2605.15598v1 Announce Type: new
   Abstract: Jailbreaking attacks on large language models pose a significant threat to AI safety by enabling the generation of harmful or restricted content. While prior work has explored both handcrafted and automated jailbreak strategies, the potential for compositional interaction between simple attacks remains underexplored. This paper presents a systematic study of mutator chaining, in which weak jailbreak transformations are applied sequentially to char
3. Hidden in Memory: Sleeper Memory Poisoning in LLM Agents (arxiv.org, 2026-05-18T04:00:00)
   Score: 18.78
   arXiv:2605.15338v1 Announce Type: new
   Abstract: Large language models are increasingly augmented with persistent memory, allowing assistants to store user-specific information across sessions for personalization and continuity. This statefulness introduces a new security risk: adversarial content can corrupt what an assistant remembers and thereby influence future interactions. We propose and study sleeper memory poisoning, a delayed attack in which an adversary manipulates external context, su
4. Detecting Privilege Escalation in Polyglot Microservices via Agentic Program Analysis (arxiv.org, 2026-05-18T04:00:00)
   Score: 17.78
   arXiv:2605.15569v1 Announce Type: new
   Abstract: Microservices are widely adopted in modern cloud systems due to their scalability and fault tolerance. However, microservice architectures introduce significant complexity in privilege and permission control, creating risks of privilege escalation where attackers can gain unauthorized access to resources or operations. Detecting such vulnerabilities is challenging due to complex cross-service interactions, polyglot codebases, and diverse privilege
5. "Someone Hid It": Query-Agnostic Black-Box Attacks on LLM-Based Retrieval (arxiv.org, 2026-05-18T04:00:00)
   Score: 17.78
   arXiv:2602.00364v4 Announce Type: replace
   Abstract: Large language models (LLMs) have been serving as effective backbones for retrieval systems, including Retrieval-Augmentation-Generation (RAG), Dense Information Retriever (IR), and Agent Memory Retrieval. Recent studies have demonstrated that such LLM-based Retrieval (LLMR) is vulnerable to adversarial attacks, which manipulates documents by token-level injections and enables adversaries to either boost or diminish these documents in retrieva
6. ADMIT: Few-shot Knowledge Poisoning Attacks on RAG-based Fact Checking (arxiv.org, 2026-05-18T04:00:00)
   Score: 17.78
   arXiv:2510.13842v2 Announce Type: replace-cross
   Abstract: Knowledge poisoning poses a critical threat to Retrieval-Augmented Generation (RAG) systems by injecting adversarial content into knowledge bases, tricking Large Language Models (LLMs) into producing attacker-controlled outputs grounded in manipulated context. Prior work highlights LLMs' susceptibility to misleading or malicious retrieved content. However, real-world fact-checking scenarios are more challenging, as credible evidence
7. FedEDAuth — Federated Embedding Distribution Authentication for Counterfeit IC Detection (arxiv.org, 2026-05-18T04:00:00)
   Score: 16.48
   arXiv:2605.15885v1 Announce Type: new
   Abstract: The widespread of counterfeit integrated circuits (ICs) poses severe risks to the security, reliability, and trustworthiness of modern electronic systems. Federated learning (FL) offers a privacy-preserving paradigm for collaborative counterfeit detection across the semiconductor supply chain, but its vulnerability to byzantine data poisoning attacks limits practical deployment. This paper presents Federated Embedding Distribution Authentication (
8. Benchmark of Benchmarks: Unpacking Influence and Code Repository Quality in LLM Safety Benchmarks (arxiv.org, 2026-05-18T04:00:00)
   Score: 16.48
   arXiv:2603.04459v3 Announce Type: replace
   Abstract: The rapid expansion of research in LLM safety presents challenges in tracking advancements, making benchmarks important evaluation infrastructures for identifying key trends and facilitating systematic comparisons. Yet no systematic assessment exists of their code quality and runnability, nor of what factors are associated with the community's adoption of certain benchmarks over others. To address this gap, we conduct a systematic measure
9. Pwn2Own Berlin 2026 – Day One Results (www.thezdi.com, 2026-05-14T08:27:32)
   Score: 15.572
   Welcome to Day One of Pwn2Own Berlin 2026! Today, 22 entries took the Pwn2Own stage to target AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products, as the world’s top security researchers push technology to its limits. Exploits, surprises, and breakthrough discoveries are unfolding. After Day One, we awarded $523,000 for 24 unique 0-days! DEVCORE is currently in the lead for Master of Pwn, but a pack of teams are right on their heels. Stay tuned tomorrow for
10. FlipAttack: Jailbreak LLMs via Flipping (arxiv.org, 2026-05-18T04:00:00)
    Score: 15.48
    arXiv:2410.02832v2 Announce Type: replace
    Abstract: This paper proposes a simple yet effective jailbreak attack named FlipAttack against black-box LLMs. First, from the autoregressive nature, we reveal that LLMs tend to understand the text from left to right and find that they struggle to comprehend the text when noise is added to the left side. Motivated by these insights, we propose to disguise the harmful prompt by constructing left-side noise merely based on the prompt itself, then generali
11. Pwn2Own Berlin 2026: The Full Schedule (www.thezdi.com, 2026-05-13T16:23:07)
    Score: 15.412
    Willkommen! (Welcome!) Pwn2Own Berlin 2026 has arrived at OffensiveCon, and the world’s top security researchers are ready. This year’s enterprise-focused competition features AI Databases, Coding Agents, Local Inferences, and a separate category for NVIDIA products. Earlier today, we held the random draw to determine attempt order. Below is the official schedule. All times are Berlin local time (CET) and may change as the competition progresses. Check back for live updates. In case you missed i
12. uGen: An Agentic Framework for Generating Microarchitectural Attack PoCs (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.15503v1 Announce Type: new
    Abstract: Microarchitectural attacks continue to evolve, uncovering new exploitation vectors in modern processors. From a defensive perspective, assessing a system's susceptibility to such attacks remains challenging. Developing functional attack implementations is labor-intensive, requires deep microarchitectural expertise, and is highly sensitive to execution environments. Consequently, existing attacks often lack portability, limiting systematic and
13. A Multi-Layer Cloud-IDS Pipeline with LLM and Adaptive Q-Learning Calibration (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.15889v1 Announce Type: new
    Abstract: Security in cloud computing has become a major concern due to several factors such as layered cloud architectures, dynamic environments, and exposure to unseen or zero-day attacks. Moreover, intrusion detection systems (IDS) typically operate at specific layers and rely heavily on machine learning models, which often perform well in experimental settings but fail to sustain performance in real cloud deployments. In this work, we implement a confid
14. A Cross-Modal Prompt Injection Attack against Large Vision-Language Models with Image-Only Perturbation (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.16090v1 Announce Type: new
    Abstract: Large vision-language models (LVLMs) have emerged as a powerful paradigm for multimodal intelligence, but their growing deployment also expands the attack surface of prompt injection. Despite this growing concern, existing attacks still suffer from a critical limitation: the injected prompt for one modality only steers the model's interpretation of that singular input. Alternatively, these attacks remain multimodal but fail to achieve cross-m
15. Probing Privacy Leaks in LLM-based Code Generation via Test Generation (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.15248v1 Announce Type: cross
    Abstract: The widespread availability of large-scale code datasets has fueled the rapid development of large language models (LLMs) for code-related tasks. These datasets may include sensitive personally identifiable information (PII), which can lead to privacy leakage when LLMs memorize and reproduce it. However, existing privacy-leakage detection methods rely on ad-hoc prompt construction (manually or automatically designed). Therefore, they do not adeq
16. Propagating Unsafe Actions in LLM Controlled Multi-Robot Collaboration via Single Robot Compromise (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.15641v1 Announce Type: cross
    Abstract: Large language models (LLMs) are increasingly used as general planners in embodied intelligence, enabling high level coordination and low level task planning for both single robot and multi-robot collaboration. This increasing reliance on embodied LLM planners also raises critical security concerns, since misaligned or manipulated instructions can be translated into physical actions. Prior work has studied such threats in single robot settings,
17. SafeGPT: Preventing Data Leakage and Unethical Outputs in Enterprise LLM Use (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2601.06366v2 Announce Type: replace
    Abstract: Large Language Models (LLMs) are transforming enterprise workflows but introduce security and ethics challenges when employees inadvertently share confidential data or generate policy-violating content. This paper proposes SafeGPT, a two-sided guardrail system preventing sensitive data leakage and unethical outputs. SafeGPT integrates input-side detection/redaction, output-side moderation/reframing, and human-in-the-loop feedback. Experiments
18. Skills as Verifiable Artifacts: A Trust Schema and a Biconditional Correctness Criterion for Human-in-the-Loop Agent Runtimes (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2605.00424v2 Announce Type: replace
    Abstract: Agent skills – structured packages of instructions, scripts, and references that augment a large language model (LLM) without modifying the model itself – have moved from convenience to first-class deployment artifact. The runtime that loads them inherits the same problem package managers and operating systems have always faced: a piece of content claims a behavior; the runtime must decide whether to believe it. We argue this paper's cent
19. DPrivBench: Benchmarking LLMs' Reasoning for Differential Privacy (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.78
    arXiv:2604.15851v2 Announce Type: replace-cross
    Abstract: Differential privacy (DP) has a wide range of applications for protecting data privacy, but designing and verifying DP algorithms requires expert-level reasoning, creating a high barrier for non-expert practitioners. Prior works either rely on specialized verification languages that demand substantial domain expertise or remain semi-automated and require human-in-the-loop guidance. In this work, we investigate whether large language mode
20. Trojan Hippo: Weaponizing Agent Memory for Data Exfiltration (arxiv.org, 2026-05-18T04:00:00)
    Score: 14.48
    arXiv:2605.01970v3 Announce Type: replace
    Abstract: Memory systems enable otherwise-stateless LLM agents to persist user information across sessions, but also introduce a new attack surface. We characterize the Trojan Hippo attack, a class of persistent memory attacks that operates in a more realistic threat model than prior memory poisoning work: the attacker plants a dormant payload into an agent's long-term memory via a single untrusted tool call (e.g., a crafted email), which activates
21. Pwn2Own Berlin 2026 – Day Two Results (www.thezdi.com, 2026-05-15T07:29:43)
    Score: 13.8
    Day Two of Pwn2Own Berlin 2026 and the stakes continue to rise! Security researchers are back on the Pwn2Own stage, pushing enterprise systems to their limits as the competition heats up. More exploits, more surprises, and more standout moments are unfolding, so follow along here for live updates as the race for Master of Pwn intensifies. There were plenty of big targets on the schedule today, including SharePoint, Exchange, and Safari. Following an action-packed Day One where $523,000 was award
22. Welcome to BlackFile: Inside a Vishing Extortion Operation (cloud.google.com, 2026-05-15T14:00:00)
    Score: 12.765
    Written by: Austin Larsen, Tyler McLellan, Genevieve Stark, Dan Ebreo Introduction Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. By leveraging adversary-in-the-middle (AiTM) techniques to bypass traditional perimeter defenses and multi-factor authentication (MFA), UNC
23. Patch Tuesday – May 2026 (www.rapid7.com, 2026-05-13T00:22:19)
    Score: 12.654
    Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above. Windows Netlogon: critical RCE Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer ove
24. The May 2026 Security Update Review (www.thezdi.com, 2026-05-12T18:38:43)
    Score: 12.597
    I’m currently in Berlin helping set up for Pwn2Own Berlin, but that doesn’t stop Patch Tuesday from coming, and it’s another big one. At least nothing is listed as being in the wild – for now. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft. Due to technical difficulties, there will not be a video companion for this month. Adobe Patches for May 2026 For May, Adobe released 10 bulletins addressing 52 unique CVEs i
25. PCDM: A Diffusion-Based Data Poisoning Attack Against Federated Learning Systems (arxiv.org, 2026-05-18T04:00:00)
    Score: 12.48
    arXiv:2605.16098v1 Announce Type: new
    Abstract: Federated learning (FL) is vulnerable to data poisoning attacks due to its distributed nature. Although recent GAN-based data poisoning methods have indicated the potential of using generative AI to generate seemingly legitimate poisoned data, the inherent consistency of GAN outputs can still reveal a sign of data poisoning. In this paper, we propose a diffusion-based data poisoning framework against FL systems, which leverages a Poisoning-Oriente

Auto-generated 2026-05-18