Storylines
Track continuity across signals: what changed, what held, and what to keep watching next.
How to use: Track continuity → open one storyline → inspect the current sources and key turns.
- CIS Security Advisoriescisecurity.org
- NCSC NL Security Advisoriesadvisories.ncsc.nl
- SecurityWeeksecurityweek.com
Sorted by momentum. Use the chevron to expand a card. Use the action button for the full drawer.
No investment advice. Research signals and sources only. EarlyNarratives provides informational signals derived from public sources. It does not provide financial, legal, or tax advice.
Editorial weekly synthesis. Use the tracker below for continuity between issues.
Microsoft’s AI system uncovers critical Windows vulnerabilities in May 2026 Patch Tuesday
In May 2026, Microsoft released patches for over 130 security vulnerabilities across its product portfolio, including 16 critical flaws discovered by its new AI-driven vulnerability detection system, MDASH.
Details
- May 2026 Patch Tuesday is the first major release featuring AI-discovered vulnerabilities.
- No zero-day exploits were observed this month, highlighting the value of proactive patching.
- Microsoft is on track to break annual vulnerability patching records in 2026, driven by AI tools.
- AI-driven vulnerability discovery accelerates identification and patching of critical security flaws.
- Timely patching of critical remote code execution vulnerabilities reduces risk of widespread exploitation.
- Microsoft’s approach signals a shift toward proactive, AI-enhanced cybersecurity defenses.
Google detects first AI-developed zero-day exploit targeting 2FA bypass
Google's Threat Intelligence Group (GTIG) identified a zero-day exploit created with AI by a cybercrime group, targeting a popular open-source web administration tool to bypass two-factor authentication.
Details
- This is the first confirmed case of AI-developed zero-day exploits in the wild, signaling a shift in attacker capabilities.
- Advances in AI are accelerating vulnerability discovery and exploit generation by threat actors.
- Organizations face increasing urgency to adopt proactive detection and response tools amid evolving AI-driven threats.
- AI-generated zero-day exploits represent a new, more automated threat vector for cybercrime groups.
- Early detection and patching prevented a potentially large-scale attack exploiting 2FA bypass.
- Real-time zero-day tracking tools like Lyrie.ai can reduce the window of exposure to active exploits.
Multiple critical vulnerabilities disclosed in Open WebUI including IDOR, SSRF, and XSS
A series of high-severity security vulnerabilities have been disclosed in Open WebUI, affecting various components such as APIs, rendering views, and access controls.
Details
- Recent advisories reveal multiple critical issues requiring urgent patching.
- Open WebUI's widespread use increases potential impact of these vulnerabilities.
- Attackers may exploit these flaws if not promptly addressed, risking data breaches and service disruption.
- Exploitable IDOR and broken access controls can lead to unauthorized data access and manipulation.
- SSRF and stored XSS vulnerabilities increase risk of remote code execution and data theft.
- Feature gate bypasses and CSRF flaws undermine security controls, threatening system integrity.
Multiple medium and high severity vulnerabilities found in MantisBT
MantisBT, a widely used issue tracking system, has been found vulnerable to several security issues including multiple authorization bypasses, stored cross-site scripting (XSS), content security policy (CSP) bypass, and privilege escalation.
Details
- Multiple advisories were published simultaneously, indicating coordinated disclosure.
- High severity issues demand immediate attention from MantisBT users and administrators.
- Prompt patching can prevent exploitation of these vulnerabilities.
- MantisBT vulnerabilities expose private issue data and attachments to unauthorized users.
- Stored XSS and CSP bypasses can lead to account takeover and further compromise.
- Privilege escalation risks increase the impact of attacks on affected systems.
Track what changed, what held, and what to watch next across recent runs. Sorted by momentum.
Cisco security advisory (AV26-471)
Serial number: AV26-471 Date: May 14, 2026 On May 14, 2026, Cisco published security advisories to address critical vulnerabilities in the following products: Cisco Catalyst SD-WAN Release – versions 20.9 and prior Cisco Catalyst SD-WAN Release – versions 20.10 and prior Cisco Catalyst SD-WAN Release – versions 20.11 and prior Cisco Catalyst SD-WAN Release – versions 20.12 and prior Cisco Catalyst
Details
CVE-2026-2291 CVE-2026-2291
Information published.
Details
CVE-2026-40460 NGINX ngx_quic_module vulnerability
Information published.
Details
Microsoft security advisory (AV26-473)
Serial number: AV26-473 Date: May 15, 2026 On May 14, 2026, Microsoft published a security advisory to address a critical vulnerability in the following products: Microsoft Exchange Server 2016 on premises versions (any update level) Microsoft Exchange Server 2019 on premises versions (any update level) Exchange Server Subscription Edition (SE) on premises versions (any update level) Microsoft is
Details
Fleet Windows MDM Azure AD JWT Authentication Bypass
Fleet Windows MDM Azure AD JWT Authentication Bypass Severity: high Identifiers: [{"cve_id": "CVE-2026-24899"}, {"identifiers": [{"value": "GHSA-ffg9-j72f-j6xm", "type": "GHSA"}, {"value": "CVE-2026-24899", "type": "CVE"}]}]
Details
USN-8255-3: Linux kernel vulnerabilities
Stonejiajia, Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission checks in certain situations. A local attacker could possibly use this to gain elevated privileges. (CVE-2023-2640) Shir Tamari and Sagi Tzadik discovered that the OverlayFS implementation in the Ubuntu Linux kernel did not properly perform permission
Details
New Fragnesia Flaw Hands Linux Local Users Root Access
New Fragnesia kernel flaw lets unprivileged local users escalate to root on Linux systems
Details
Exploitation of Critical NGINX Vulnerability Begins
The flaw leads to denial-of-service on default configurations and to remote code execution if ASLR is disabled. The post Exploitation of Critical NGINX Vulnerability Begins appeared first on SecurityWeek .
Details
Leaked Shai-Hulud malware fuels new npm infostealer campaign
The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend. [...]
Details
OpenAI Hit by TanStack Supply Chain Attack
Two employee devices were compromised in the attack, and credential material was stolen from OpenAI code repositories. The post OpenAI Hit by TanStack Supply Chain Attack appeared first on SecurityWeek .
Details
Critical Quest KACE SMA flaw exploited after 10 months
The critical vulnerability CVE-2025-32975 in Quest KACE Systems Management Appliance (SMA) was actively exploited by attackers who had not patched the system for 10 months after a fix was released in May 2025.
Details
Recent public storylines
Crawlable detail links for recent public storyline pages.
- Microsoft warns of large-scale phishing campaign targeting thousands globally
Microsoft has disclosed a sophisticated phishing campaign that targeted over 35,000 users across more than 13,000 organizations in 26 countries, primarily in the US.
- British cyber agency warns of patch wave amid Windows vulnerability exploitation
The UK National Cyber Security Centre and British cyber agency have issued warnings about an impending wave of software patches driven by accelerated vulnerability discovery through AI.
- AI-assisted npm malware targets crypto wallets and macOS developers
Recent discoveries reveal that threat actors, including DPRK-linked groups, are increasingly using AI-assisted commits to insert malicious code into npm packages. These packages serve as infection vectors for sophisticated malware such as the Minirat macOS RAT, which targets developer machines and crypto wallets. The combination of AI-driven supply chain attacks and stealthy remote access trojans underscores the urgent need for enhanced security practices in software development environments.
- Vulnerability management tools often miss critical risks despite high scan scores
Security teams frequently face a disconnect between vulnerability scan results and actual risk exposure.
- Critical flaw causes Vect ransomware to act as a destructive wiper
Researchers have identified a critical flaw in Vect 2.0 ransomware that causes it to wipe large files instead of encrypting them. This flaw effectively turns the ransomware into a data-destroying wiper, making file recovery impossible even by the attackers themselves.
- GlassWorm malware campaign escalates with new fake extensions in Open VSX marketplace
The GlassWorm threat actor has significantly increased its activity by uploading 73 additional fraudulent extensions to the Open VSX code marketplace.
- FBI and Indonesian authorities dismantle global phishing network linked to $20 million fraud attempts
Coverage discusses speculative scenarios around ~$20M; treat as market chatter and see linked sources.
- March 2025 supply chain attacks compromise open source tools and IoT devices
In March 2025, multiple supply chain attacks targeted prominent open source application security organizations and IoT devices. Three organizations—Xygeni, Aqua/Trivy, and Checkmarkx—were compromised via GitHub Actions.
- New ClickFix malware variant uses macOS Script Editor to deliver Atomic Stealer
A new variant of the ClickFix malware campaign bypasses Apple’s Terminal security warnings by exploiting the macOS Script Editor via the applescript:// URL scheme.
- Credential monitoring gaps and recurring incidents raise hidden security costs
Recent analysis reveals that relying solely on breach monitoring is insufficient to combat credential-based attacks due to a critical gap between detection by security operations centers (SOC) and identity and access management (IAM) response processes such as session...
- Hackers use fake claude code leak to spread malware
Researchers at Zscaler's ThreatLabz uncovered a deceptive GitHub repository that masquerades as a leak of Anthropic's Claude Code CLI source code. Hackers are leveraging this fake leak as bait to spread malware, tricking users into downloading malicious software under the guise of accessing legitimate code. This tactic highlights the ongoing use of popular software leaks as vectors for malware distribution.
- Recent developments in ransomware tactics and operations
Recent reports highlight evolving ransomware tactics including the Yurei double extortion toolkit, the rise of multi-extortion attacks leveraging stolen data leaks, and accelerated intrusion methods by the Akira ransomware group.
Free gives current signals and storylines with source links. Upgrade for archive, alerts, watchlists, exports, API, and workflow tools.