Security researchers have found that Microsoft Edge’s built‑in password manager decrypts and loads every saved credential into the browser process memory in cleartext at startup and leaves them resident for the duration of the session. Norwegian researcher Tom Jøran Sønstebyseter Rønning published a video and a proof‑of‑concept tool demonstrating that any credentials saved in Edge can be extracted from RAM, even if the sites are not visited during that session. Multiple security outlets corroborated the finding and noted the behaviour appears unique among Chromium‑based browsers. Microsoft has acknowledged the behaviour but said it is “by design,” arguing exploitation would require an already compromised device or administrative access. Security experts counter that modern infostealer malware and attacks on shared or terminal server environments make runtime plaintext credentials a practical risk. Researchers recommend users and organisations move passwords out of Edge’s manager, enable multi‑factor authentication or passkeys, and use dedicated password managers instead.

Google has rolled out a QR-code based reCAPTCHA challenge as part of its Cloud Fraud Defense platform first announced on April 22, 2026, that requires users to scan a code with a “compatible” mobile device to prove they are human. The verification flow accepts iOS devices and Android handsets running Google Play Services (reportedly version 25.41.30 or higher), but blocks or repeatedly challenges devices running privacy-focused, de‑Googled operating systems such as GrapheneOS, CalyxOS and other custom ROMs. The change, which Google has been migrating to sites since late 2025, leverages hardware-backed attestation to verify device integrity and is designed to counter increasingly capable AI-driven bots. Critics — including GrapheneOS developers, privacy advocates and parts of the security community — argue the move effectively ties basic web access to Google’s proprietary ecosystem, can exclude secure alternative OSes, and may have been rolled out automatically for many websites. Workarounds for affected users include using a separate certified device or selecting fallback audio challenges, while some experts urge web administrators to consider alternative verification services to avoid locking out privacy‑focused users.

A cybercriminal group known as ShinyHunters breached Instructure’s Canvas learning-management system in late April and again in early May, exploiting its Free‑For‑Teacher feature to access and publish student and staff records. The group claimed it had stolen terabytes of data from roughly 8,000–9,000 institutions and set a ransom deadline for public release; reported figures vary and remain unverified. Instructure disclosed unauthorized activity detected April 29, took Canvas offline to contain the incident and temporarily suspended Free‑For‑Teacher accounts. The platform was restored for most users within days, though some services remained in maintenance mode while external forensics and U.S. federal investigators — including the FBI and CISA — were notified. Affected data reportedly includes names, email addresses, student ID numbers and private messages between users; the company said it found no evidence of exposed passwords, dates of birth, government identifiers or financial information. The disruption hit thousands of schools during U.S. finals week, forcing exam delays and alternative submission arrangements as institutions and vendors assess exposure and response.

Palo Alto Networks disclosed a critical buffer overflow zero-day in its PAN-OS User-ID Authentication Portal (Captive Portal), tracked as CVE-2026-0300, that allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls. The company warned of "limited exploitation" and attributed activity to a likely state-sponsored cluster tracked as CL-STA-1132. Evidence shows unsuccessful attempts from April 9 and successful exploitation and follow-on activity in April, including AD enumeration, use of tunneling tools (EarthWorm, ReverseSocks5), credential collection and log deletion. Affected PAN-OS branches include versions in the 10.x, 11.x and 12.1 lines when the portal is exposed to untrusted networks. Palo Alto plans staged software fixes beginning May 13, 2026, with further patches on May 28. The U.S. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog, directing federal agencies to apply mitigations. Until patches are issued, Palo Alto and researchers advise restricting or disabling the User-ID Authentication Portal, disabling response pages on L3 interfaces, and enabling available threat signatures for detection.

Security firm ESET uncovered a sprawling campaign of 28 fraudulent Android apps — dubbed “CallPhantom” — that falsely claimed to provide call, SMS and WhatsApp histories for any phone number and collectively racked up more than 7.3 million downloads. The apps generated hardcoded, fake records and prompted users to subscribe to plans costing roughly $6–$80. The campaign appears to have been active since late 2025; ESET flagged the apps to Google in December 2025 and the apps were removed from the Play Store after public disclosure in May 2026. Most victims were in India: many apps defaulted to the +91 country code and supported UPI payment methods popular there. Some subscriptions used Google Play billing (eligible for Play refunds); others routed payments through third-party UPI providers or in-app card forms, complicating reimbursement. The apps employed deceptive tactics — including fake notifications and misleading developer names such as “Indian gov.in” — to build trust and pressure users into paying. The removals followed ESET’s report; affected users are advised to check Play billing for cancellations and contact payment providers for third-party charges.

In early May 2026 Anthropic disclosed Claude Mythos Preview, an internal AI model that in controlled testing identified thousands of previously unknown zero-day vulnerabilities across major operating systems and web browsers. Anthropic restricted access under “Project Glasswing” to roughly 40 firms — including large tech and financial firms — to give defenders a head start. Mozilla, a Mythos partner, said it shipped 423 Firefox security fixes in April, 271 of them tied to Mythos findings. US regulators responded: Federal Reserve Chair Jerome Powell and Treasury officials convened major bank CEOs to assess risk. Anthropic warned of a six-to-twelve month window before adversaries could replicate the capability. Cybersecurity researchers, however, say many of Mythos’s headline feats can be reproduced today by orchestration of existing models and cheaper toolchains; OpenAI has offered vetted access to cyber-focused models. Reports also document practical risks — from unauthorized access attempts against Mythos to a sharp surge in AI-enabled attacks — underscoring both the defensive value of these tools and the danger that equivalent offensive capabilities will proliferate globally.