Attackers found a new way around MFA.

The FBI warns attackers are abusing Microsoft OAuth authentication. India pushes faster patching as AI speeds up cyberattacks. Iranian hackers blend phishing with SEO poisoning. Anthropic’s AI finds thousands of open source flaws, while AI also reshapes bug bounties and fuels supply-chain attacks hitting thousands of GitHub repos. Plus, a new LMS zero-day, bulletproof hosting arrests in the Netherlands, FTC action over bogus “active listening” claims, and another busy week for cyber funding and M&A. Our guest is Kurtis Minder, author, joining us to discuss his book "Cyber Recon: My Life in Cyber Espionage and Ransomware Negotiation.” Please disregard all searches for disregard.

Today is Tuesday May 26th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI warns of growing abuse of Microsoft OAuth device authentication. 

The FBI is warning about Kali365, a phishing-as-a-service platform that helps attackers hijack Microsoft 365 accounts by abusing OAuth device code authentication. The platform reportedly emerged in April 2026 and is marketed through Telegram channels to lower-skilled cybercriminals.

Kali365 exploits Microsoft’s legitimate OAuth 2.0 Device Authorization flow, which was designed for devices like smart TVs and printers that cannot easily enter credentials. Attackers generate a device code, then trick victims into entering it at Microsoft’s login portal. Once the victim completes multi-factor authentication, attackers receive valid OAuth session tokens and gain access without needing passwords or MFA codes.

Researchers at Arctic Wolf say Kali365 also offers adversary-in-the-middle capabilities, real-time victim tracking, and AI-generated phishing lures. The FBI recommends restricting device code authentication and auditing unauthorized device registrations. This matters because device-code phishing is rapidly becoming a preferred method for compromising cloud identities and bypassing traditional MFA protections.

CERT-In urges organizations to respond faster as AI accelerates cyber-attacks. 

India’s CERT-In is urging organizations to patch actively exploited internet-facing vulnerabilities within 12 hours, warning that artificial intelligence is dramatically shortening attacker timelines. New guidance published May 25 says generative AI, large language models, and autonomous agents are accelerating reconnaissance, phishing, malware creation, and vulnerability discovery.

The framework sets risk-based remediation targets, including one day for critical external flaws and three days for critical internal vulnerabilities affecting high-value systems. CERT-In also recommends prioritizing Known Exploited Vulnerabilities and Exploit Prediction Scoring System data over severity ratings alone.

AI is compressing the gap between disclosure and exploitation, leaving defenders with far less time to respond. The guidance also emphasizes securing AI systems themselves and maintaining rapid incident reporting procedures.

Nimbus Manticore combines phishing and SEO poisoning to deliver new malware. 

Iran-linked threat actor Nimbus Manticore is targeting aviation organizations with a new phishing and search engine optimization, or SEO, poisoning campaign designed to spread malware. According to Check Point Research, the IRGC-affiliated group operated in multiple waves between February and April 2026, overlapping with the US military’s Operation Epic Fury campaign.

Researchers say the group impersonated aviation companies and software vendors across the US, Europe, and the Middle East. In April, the attackers introduced fake Oracle SQL Developer download sites packed with search keywords to rank highly in search engines. The campaign also delivered a new AI-developed backdoor called MiniFast, which disguises command-and-control traffic as Chrome browser activity.

The operation shows how state-aligned actors are blending traditional phishing with search manipulation and AI-assisted malware development to scale attacks against critical sectors.

Anthropic’s AI model flags thousands of OSS flaws. 

Anthropic says its Claude Mythos AI model has identified thousands of severe vulnerabilities across more than 1,000 open source software projects. The company reports more than 23,000 potential findings, with external reviewers confirming over 1,700 vulnerabilities, including more than 1,000 rated high or critical severity.

The model, available to select organizations through Project Glasswing, has reportedly helped researchers uncover flaws in projects including Firefox and Chrome-related software ecosystems. Anthropic says only a fraction of identified issues have been patched so far, citing disclosure timelines and strained security resources.

The findings highlight how AI-driven vulnerability discovery could significantly increase the pace and scale of software flaw identification, while also adding pressure to already overloaded patching and disclosure processes.

AI breaks the economics of bug bounties. 

Researchers say the economics of bug bounty hunting are rapidly changing as AI accelerates vulnerability discovery and floods maintainers with security reports. HackerOne’s Internet Bug Bounty program recently cut payouts sharply, reducing rewards for medium-severity flaws from roughly $1,800 to under $300 while the program remains paused amid a processing backlog.

Security researchers told The Register that AI-assisted tools are producing higher-quality findings at a much greater scale, creating pressure on open source maintainers who still must manually validate, deduplicate, and remediate reports. Curl founder Daniel Stenberg and Linux maintainer Linus Torvalds both warned that AI-generated vulnerability submissions are becoming difficult to manage.

Researchers say the real bottleneck is no longer discovering flaws, but verifying and fixing them efficiently.

The Megalodon campaign bites thousands of GitHub repositories.

Researchers say an automated supply-chain campaign dubbed Megalodon compromised more than 5,000 GitHub repositories by injecting malicious GitHub Actions workflows through fake pull requests and forged bot identities. According to SafeDep, the attackers used base64-encoded bash payloads designed to steal cloud credentials, SSH keys, OpenID Connect tokens, and secrets exposed inside development environments.

The campaign reportedly executed more than 5,700 malicious commits in a six-hour period and targeted repositories tied to projects including Tiledesk and Black-Iron-Project. Researchers say the malware spread through poisoned workflow files rather than altered application code, making detection more difficult during routine package reviews.

Security firms warn the operation reflects a growing wave of large-scale software supply-chain attacks targeting continuous integration and delivery pipelines.

Attackers exploit a zero-day in a popular learning management system. 

Mandiant reports that attackers exploited a zero-day vulnerability in the KnowledgeDeliver learning management system to deploy web shells and a Cobalt Strike backdoor. The flaw, tracked as CVE-2026-5426, stemmed from hardcoded ASP.NET machine keys shared across deployments, enabling ViewState deserialization attacks.

Researchers say the attackers deployed Godzilla web shells, modified application files, and delivered fake plugin alerts before installing additional malware. Mandiant believes the final backdoor payload was customized for the targeted organization because its encryption key included the victim’s name.

The incident highlights the risks of shared cryptographic secrets across enterprise software deployments and the continued abuse of ASP.NET deserialization flaws for post-exploitation access.

Dutch authorities arrest alleged operators of bulletproof hosting services. 

Dutch authorities have arrested two men accused of operating companies that allegedly provided bulletproof hosting services to Russian threat actors while evading European Union sanctions. According to the Dutch Fiscal Information and Investigation Service, or FIOD, investigators seized more than 800 servers during raids at multiple locations and data centers across the Netherlands.

Officials say one suspect operated a Dutch front company tied to a sanctioned hosting provider linked to disinformation and cyberattacks targeting EU members. Investigators allege the second suspect maintained infrastructure that kept the services operational after sanctions took effect.

The case underscores growing scrutiny on infrastructure providers accused of enabling cybercrime, distributed denial-of-service attacks, and state-aligned influence operations despite international sanctions.

The FTC settles with media firms over phony claims of active device listening. 

The Federal Trade Commission says Cox Media Group and two partner firms will pay $930,000 to settle allegations they falsely marketed an AI-powered advertising service that supposedly listened to conversations captured by smart devices. Regulators allege the companies claimed consumers had opted into the service and that advertisers could target localized ads based on voice data collected in real time.

According to the FTC, the “Active Listening” product did not actually use voice data. Instead, the firms reportedly resold email lists purchased from data brokers while misleading customers about the service’s capabilities and consumer consent practices.

The settlement bars the companies from misrepresenting advertising features, geographic targeting, or the collection and use of consumer voice data. The case highlights increasing regulatory scrutiny of AI marketing claims and consumer privacy practices.

The notion that your mobile device is actively listening to you is a conspiracy theory that refuses to die.

Cybersecurity investment activity remains strong. 

Cybersecurity investment activity remained strong this week, led by Socket, which raised $60 million in Series C funding at a reported $1 billion valuation. Other notable raises included Israeli email security startup Ocean with $28 million, quantum-safe security firm Quantum Bridge with $8 million, and offensive security startup Hacktron with $2.9 million.

The mergers and acquisitions market also remained active. Akamai agreed to acquire Israeli browser security company LayerX for $205 million, while Cyera acquired Genie Security for a reported $50 million. Additional deals involved SecurityScorecard, Black Box, and Torq.

The funding and acquisition activity reflects continued investor focus on AI-native security platforms, software supply-chain protection, and threat intelligence capabilities as organizations adapt to evolving cyber risks.

Please disregard all searches for disregard. 

Google’s new AI-heavy Search experience has apparently found an innovative way to redefine the word “disregard,” by disregarding the actual search result. Users searching the single word “disregard” this week were greeted with a large, mostly empty AI-generated response that pushed the useful Merriam-Webster definition well below the fold.

The issue surfaced shortly after Google rolled out a redesigned Search interface that prioritizes AI summaries over traditional web links. Critics online pointed to the example as evidence that the system may not handle simple edge cases particularly well. In an unexpected twist for longtime tech reporters, Microsoft’s Bing reportedly delivered the more useful result, a sentence that may have caused several search engineers to quietly stare into the middle distance.

The episode highlights ongoing concerns that AI-generated search features can sometimes add complexity where users simply wanted an answer.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.