ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories  Ravie Lakshmanan  May 07, 2026 Hacking News / Cybersecurity News Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like some tired guy with a Telegram account and too much free time. The worst part is how often this stuff still works. Meanwhile, AI tools are speeding up exploit hunting, browsers are keeping passwords sitting in memory for “performance reasons,” and even ransomware crews are pushing broken builds into the wild. Everybody’s scrambling to patch faster because attackers are automating faster. Anyway. ThreatsDay’s rough this week. Let’s get into it. Credential theft campaign New MicroStealer Spotted A new stealer called MicroStealer has been observed targeting education and telecom sectors to steal sensitive data. It was first observed in the wild in December 2025. "It specializes in stealing browser credentials, active session data, screenshots, cryptocurrency wallets, and system information," ANY.RUN said . "It spreads quickly with low detection rates thanks to a sophisticated multi-stage delivery chain and exfiltrates data via Discord webhooks and attacker-controlled servers." Location data crackdown FTC and Kochava Announce Settlement The Federal Trade Commission (FTC) and location data broker Kochava said they agreed to a settlement in which the company and its subsidiary Collective Data Solutions would be blocked from selling, sharing, or disclosing sensitive location data without consumers' explicit consent. The company was found to be illegally obtaining and selling consumers' yearly incomes, mobile device IDs, app usage, and nearly real-time geolocation data within 10 meters without their consent or awareness. While the proposed order does not impose a fine on Kochava, the company is required to establish a data retention schedule that will mandate consumers' data be deleted in a predetermined time frame. Quantum-safe email upgrade Proton Adds PQC Support in Proton Mail Proton has added support for post-quantum encryption as an optional feature in Proton Mail. "Once enabled, Proton Mail can generate and use post-quantum-ready keys for new encrypted emails to protect your personal messages and business communications against today's threats and a future where current public-key cryptography may no longer be enough," the Swiss privacy-focused company said . "Enabling PQC helps protect new encrypted emails going forward. It does not retroactively re-encrypt the emails already in your mailbox, for now." Supply chain hardening pnpm 11 Rolls Out New Security Measures to Tackle Supply Chain Attacks pnpm 11 has been released with new supply chain protections in place, including defaulting the minimum release age to 24 hours to reduce the risk of installing compromised packages and blocking exotic sub-dependencies that resolve from non-standard sources, such as Git repositories or direct tarball URLs. "Newly published package versions are not resolved until they are at least one day old. Teams can opt out by setting minimumReleaseAge: 0, but pnpm's default posture now favors a built-in waiting period before fresh package releases enter installs," Socket said . With most package compromise campaigns relying on automated installs to expand their reach, the new effort aims to reduce the risk of packages getting installed immediately after publication. AI age verification push Meta Plans to Use AI to Strengthen Underage Enforcement Meta said it's deploying artificial intelligence (AI) tools to bolster its underage enforcement measures and remove people under 13 from its services like Facebook and Instagram. Acknowledging that "knowing someone’s age online is a complex, industry-wide challenge," the company said it's using AI to analyze profiles for contextual clues, as well as scan photos and videos for physical cues to assess whether a user is under 13 on Instagram and Facebook. "We want to be clear: this is not facial recognition. Our AI looks at general themes and visual cues, for example, height or bone structure, to estimate someone’s general age; it does not identify the specific person in the image," Meta said . "By combining these visual insights with our analysis of text and interactions, we can significantly increase the number of underage accounts we identify and remove." North Korea-linked cybercrime case South Korean Court Upholds Jail Term for Man Who Hired N. Korean Hacker South Korea's highest court has upheld the one-year prison term for a man , identified as Oh Dae-hyun, who hired an unnamed North Korean cybercriminal to conduct attacks against rival game servers in exchange for a payment of more than $16,300 between October 2014 and March 2015. Per details revealed by NK News last November, the defendant operated an illegal online game server for Lineage and sought access to a file that would allow him to bypass the game's security system and enable users to play the game at a lower cost. To obtain the file, the defendant is said to have communicated with a North Korean cyber actor via the Chinese messaging app QQ. The court also found Oh recruiting the same North Korean national to conduct distributed denial-of-service (DDoS) attacks on rival gaming servers. Per court documents, the North Korean national is a head of the development team at a trading company under the Workers’ Party of Korea. The company is also believed to have been involved in the creation and sale of DDoS attack programs and cyberterrorism tools to generate revenue for Pyongyang. Critical ICS security flaws Vulnerabilities in Eclipse BaSyx V2 Two security vulnerabilities have been disclosed in Eclipse BaSyx V2 that pose a severe risk to industrial environments. The vulnerabilities in question are CVE-2026-7411 (CVSS score: 10.0), an unauthenticated path traversal flaw that could be exploited to write arbitrary files, leading to code execution, and CVE-2026-7412 (CVSS score: 8.6), a blind SSRF flaw that forces the BaSyx server to act as a proxy and execute HTTP POST requests to arbitrary internal or external targets. The issues have been patched in version 2.0.0-milestone-10. "By chaining or utilizing these flaws, an external attacker can completely bypass network segmentation," Mohamed Lemine Ahmed Jidou, security researcher and founder of AegisSec, told The Hacker News. "The compromised Digital Twin server can be weaponized to pivot internally and send unauthorized commands directly to isolated Programmable Logic Controllers (PLCs) and industrial sensors, posing a direct threat to physical manufacturing lines." Critical MOVEit exposure <100 Exposed MOVEit Automation Instances Found Attack surface management platform Censys said it has observed less than 100 exposed MOVEit Automation web admin interfaces globally, with nearly two-thirds of hosts located in the U.S. The development comes in the aftermath of CVE-2026-4670 (CVSS score: 9.8), a critical authentication bypass flaw in MOVEit Automation that could potentially result in CVE-2026-4670 is a critical authentication bypass vulnerability in MOVEit Automation that could result in unauthorized access, administrative control, and data exposure. Broken ransomware encryption VECT 2.0 Encryptor Weaknesses A new analysis of VECT 2.0 ransomware binaries has uncovered multiple critical flaws in both full and intermittent encryption modes, making data recovery impossible even if a ransom payment is made. "VECT's FULL encryptor contains an insufficient memory allocation flaw that restricts successful encryption to files 32 KB or smaller," Halcyon said . "VECT's intermittent mode discards the nonces for all encrypted segments except the final one, retaining only the last 12-byte nonce in the file footer. The decryption algorithm requires the unique nonce for each segment, all segments preceding the final block are cryptographically unrecoverable by the victim and the attacker alike." What's more, a race condition vulnerability exists in the multi-threaded encryption implementation that causes files to be renamed with the .vect extension without their contents being encrypted. In some cases, the contents of one file is saved and renamed as a different file name, or two different files are encrypted and saved with the same name, potentially resulting in the loss of one file. "These issues collectively undermine the reliability and repeatability of the Vect2.0 encryption and renaming logic," Halcyon said. Oracle accelerates patching Oracle Shifts to Monthly Patch Cycle for Critical Flaws Oracle said it will supplement the quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities, citing the increased pace of AI-assisted vulnerability disclosures stemming from the adoption of AI models like Anthriopic Mythos to aid with code analysis, security testing, and vulnerability detection. Several vendors like Microsoft, SAP, Adobe, andGoogle (for Android) already release patches on a monthly cadence, most of which occur on the second Tuesday of each month. Oracle's release cycle, however, will be on the third Tuesday of each month. The first monthly Critical Security Patch Updates (CSPUs) will arrive on May 28, 2026. "CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release," Oracle said. "Security depends on identifying vulnerabilities quickly and applying fixes just as quickly." Global smishing surge Scammers Use Fake Text Messages to Steal Data Scammers are sending tens of thousands of fraudulent text messages to mobile users across 12 countries, imperso