Daily Threat Briefing — May 22, 2026

📰 Cybersecurity News Headlines

Top stories from leading cybersecurity publications as of May 22, 2026.

1. Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
   — Krebs on Security
   
   Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Interne…
2. How CISOs Should Prep for Agentic-Ready AI BOMs
   — Dark Reading
   
   Finding ways to document both component and execution attributes for AI bill of materials (AI BOM).
3. Google API Keys Remain Active After Deletion
   — Dark Reading
   
   A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletio…
4. Google accidentally exposed details of unfixed Chromium flaw
   — Bleeping Computer
   
   Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the brow…
5. AI Agents Are Shifting Identity Security Budget Dynamics
   — Dark Reading
   
   AI agent projects are proliferating throughout the enterprise, and those AI agent identities require management, security, and governance. N…
6. The npm Threat Landscape: Attack Surface and Mitigations (Updated May 21)
   — Unit 42
   
   Unit 42 analyzes npm supply chain evolution post-Shai Hulud. Discover wormable malware, CI/CD persistence, multi-stage attacks and more. The…
7. Apple blocked over $11 billion in App Store fraud in 6 years
   — Bleeping Computer
   
   Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in pote…
8. Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor
   — The Hacker News
   
   Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a t…
9. Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet
   — Bleeping Computer
   
   Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platf…
10. Selective HTTP Proxying in Linux, (Thu, May 21st)
    — SANS ISC
    
    Recently, Rob wrote about a tool, Proxifier, that can intercept requests from specific processes. Proxifier is available for Windows, macOS,…
11. ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
    — The Hacker News
    
    This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the …
12. Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
    — The Hacker News
    
    Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild.…

🪲 NVD — Last 20 Scored Vulnerabilities

Latest scored CVEs from the National Vulnerability Database (6312 in last 30 days).
Critical: 1 · High: 2 · Medium: 1 · Low: 0. View full dashboard →

1. CVE-2026-6960
   — CVSS 9.8 (CRITICAL)
   
   The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and includi…
2. CVE-2026-22678
   — CVSS 5.4 (MEDIUM)
   
   Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitr…
3. CVE-2026-47102
   — CVSS 8.8 (HIGH)
   
   LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may b…
4. CVE-2026-47101
   — CVSS 8.8 (HIGH)
   
   LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that th…

Source: NVD CVE API 2.0

Generated by CryptXNet.ai Threat Intelligence Platform · May 22, 2026 · Sources: The Hacker News, Bleeping Computer, Krebs on Security, Dark Reading, SANS ISC, THN Threat Intel, Unit 42, Security.com