More Signal. Less Noise.

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

V15 | Issue 97 | 5.21.26

Daily Briefing for 05.21.26

Summary

By the N2K CyberWire staff

Microsoft patches two actively exploited Defender vulnerabilities.

Microsoft has fixed two actively exploited zero-days in Microsoft Defender, SecurityWeek reports. The first is a local privilege escalation flaw (CVE-2026-41091) caused by "[i]mproper link resolution before file access." The second (CVE-2026-45498) is a denial-of-service flaw.

While neither of the vulnerabilities is rated as critical, their active exploitation should prompt users to apply patches quickly. The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal agencies to patch the flaws by June 3rd.

Iran’s evolving cyber playbook.

Iran’s cyber operations have evolved beyond destructive malware, with actors pivoting to target identity systems. Dave Bittner sat down with Sam Rubin, Senior Vice President at Palo Alto Networks, to discuss how Iranian groups are weaponizing stolen credentials and trusted access to reach high-value targets. Whether it be attacking vulnerable trusted parties or crafting documents loaded with malware, listen to the conversation to learn how Iran’s pivot is impacting the cybersecurity landscape.

Europol operation shutters First VPN.

A Europol operation led by France and the Netherlands dismantled First VPN, a VPN service that openly catered to cybercriminals on underground forums. First VPN was widely used by ransomware gangs and other criminal threat actors. Europol said the VPN service was used in "almost every major cybercrime investigation supported by Europol in recent years."

Law enforcement arrested the alleged administrator of the service in Ukraine, shut down 33 servers, and seized several domains. Police also identified thousands of users, and shared information on 506 of these suspects with international law enforcement agencies.

Infosecurity Europe 2026

Infosecurity Europe is the leading gathering for the cybersecurity industry in Europe. Each year, we bring the community together to share the latest innovations, learn from one another, and test and benchmark solutions. Join us in London!

Ukrainian police identify suspected infostealer operator.

Ukrainian police, working with US law enforcement, have identified an 18-year-old Odesa man suspected of participating in an infostealer operation between 2024 and 2025, BleepingComputer reports. The suspect allegedly belonged to a cybercriminal operation that compromised more than 28,000 customer accounts belonging to an online store in California, then used 5,800 of the accounts to make unauthorized purchases worth around $721,000. The crooks also harvested data from the accounts and sold the information on underground forums. The 18-year-old suspect is accused of managing the online infrastructure that was used to process and sell this data.

BleepingComputer notes that the law enforcement announcement doesn't mention an arrest, so it's unclear if the suspect has been formally charged yet.

Notes.

Today's issue includes events affecting France, the Netherlands, Ukraine, and the United States.

Selected Reading

Attacks, Threats, and Vulnerabilities

Nine-Year-Old Linux Kernel Flaw Leaks SSH Keys and Password Hashes (Infosecurity Magazine) Qualys finds nine-year-old Linux ptrace flaw exposing SSH keys and password hashes locally

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft (Microsoft Security Blog) Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms.

Security Patches, Mitigations, and Software Updates

Cisco Patches Critical Vulnerability in Secure Workload (SecurityWeek) Insufficient validation and authentication in the Secure Workload’s REST APIs provide remote attackers with Site Admin privileges.

Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking (SecurityWeek) CVE-2026-9082 can be exploited without authentication for information disclosure, privilege escalation, and remote code execution.

Legislation, Policy, and Regulation

Xi and Putin pledge closer cooperation on AI, cyberspace and satellite systems (The Record) In a lengthy joint statement, Moscow and Beijing pledged closer cooperation on satellite internet technologies and joint work on software development and open-source initiatives — part of a broader effort to reduce reliance on Western technology and build a more independent technological ecosystem capable of competing with countries both states consider “unfriendly.”

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

ASCEND 2026 (Washington, DC, USA, May 19 - 21, 2026) ASCEND connects the civil, commercial, and national security space sectors, along with adjacent industries, to embrace the opportunities and address the challenges that come with increased activity in space. Building our sustainable off-world future requires long-term thinking. Strategic planning, innovation, scientific exploration, and effective regulations and standards will help us preserve space for future generations. ASCEND will enable the technical exchanges, debates, and collaboration that will help forge a sustainable off-world future for all.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry's largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust N2K CyberWire to get the message out. Learn more.