May 18, 2026 Emerging Threats Weekly

kroll logo
Kroll
May 18, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:38 [NEW TECHNIQUE] Google Says a Cybercrime Group Used AI to Build a Zero-day for MFA Bypass
Google identified what it believes is the first case in which a threat actor used AI to help develop a working zero-day exploit intended for a mass exploitation event. The company said it discovered the operation before the attacker could deploy it broadly, giving the software developer time to fix the issue first.

02:22 [SUPPLY CHAIN] TanStack Npm Compromise Shows How Trusted CI Identities Can be Turned into Malware Delivery
The most consequential open-source supply-chain story of the week is the compromise of the @tanstack npm namespace. NVD says that on May 11, attackers published 84 malicious versions across 42 packages in roughly six minutes, using TanStack’s legitimate GitHub Actions trusted-publisher binding rather than a visibly rogue release process.

04:24 [SUPPLY CHAIN] Fake Claude Code Installer Credential Theft
During Q1 2026 and into Q2, AI tooling is becoming a trending lure and a persistence layer for credential theft. In one recent campaign, attackers used fake Claude Code installer lures delivered through lookalike sites and malicious advertising to steal developer secrets from Chromium-based browsers.

08:02 [VULNERABILITY] cPanel CVE-2026-41940 Actively Exploited for Backdoor Access and Targeted Intrusions
Cisco Talos disclosed UAT 8302 as a China nexus advanced persistent threat group that has been targeting government entities in South America since late 2024. The activity expanded in 2025 to include government agencies in southeastern Europe.

11:05 [CAMPAIGN] AI-augmented Intrusions Target Latin American Government and Financial Organizations
Two campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, targeted government and financial organizations in Latin America using agentic AI across the attack lifecycle. Spanish-speaking operators focused on Mexican government entities, while Portuguese-speaking actors targeted Brazilian financial institutions.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.