Security researchers from Zhejiang University, the National University of Singapore and Nanyang Technological University presented a proof-of-concept attack called “AudioHijack” at the IEEE Symposium on Security and Privacy on May 24, 2026. They showed how adversarial, human‑inaudible audio signals can be embedded in podcasts, videos or meeting audio to covertly instruct voice AI models and agents to perform unauthorized actions. The team trained context‑agnostic signals in roughly 30 minutes and tested them against 13 open‑source audio models (including Qwen2‑Audio, GLM‑4‑Voice and Phi‑4), reporting success rates of about 79%–96% across scenarios. Demonstrated exploits included issuing sensitive web searches, downloading files from attacker‑controlled sources and exfiltrating data via email. The attacks transferred to commercial voice agents built on open weights, including services from Microsoft Azure and Mistral, although the technique currently requires access to full model weights. Defensive measures such as adversarial training and intent verification reduced but did not eliminate effectiveness. Microsoft acknowledged the research, noting practical deployments often include additional safeguards and developer guidance.

A prolific cybercrime group calling itself TeamPCP has exfiltrated roughly 3,800–4,000 internal GitHub repositories after a compromised developer device installed a poisoned Visual Studio Code extension, GitHub said. The malicious Nx Console v18.95.0 build was available on Microsoft’s Visual Studio Marketplace for about 18 minutes on May 18 before being removed; GitHub confirmed the intrusion publicly on May 20 and continues investigating. Researchers say the incident is the latest phase of an automated, self‑propagating campaign — driven by a worm called Mini Shai‑Hulud — that has staged at least 20 waves and poisoned more than 500 packages across npm, PyPI and other ecosystems. The campaign uses credential‑stealing payloads in developer tools to harvest long‑lived CI/CD tokens, then publishes tainted packages that compromise further projects; victims cited in reporting include OpenAI and others. TeamPCP offered the stolen GitHub repositories for sale on cybercrime forums (reports indicate an asking price of at least $50,000). GitHub says its current assessment is the compromise was limited to internal repositories and that it has rotated critical secrets and isolated the affected endpoint.

U.S. cybersecurity agencies and security firms warned this week of active exploitation of a critical SQL injection bug in Drupal Core, tracked as CVE-2026-9082. Drupal released patches on May 20 and updated its advisory on May 22 to confirm exploit attempts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal civilian agencies to remediate by May 27, 2026. Security vendors, including Imperva, reported more than 15,000 attack attempts targeting nearly 6,000 sites across about 65 countries within 48 hours of disclosure; roughly half of observed probes targeted gaming and financial services sites. The vulnerability affects Drupal sites using PostgreSQL backends (Drupal estimates this is under 5% of installations but still thousands of sites) and can enable information disclosure, privilege escalation and, in some configurations, remote code execution. Administrators are urged to apply available patches for supported Drupal releases immediately and to investigate suspicious database query activity.

Trump Mobile has confirmed a data exposure after security researchers and high-profile customers found personal information for purchasers of the company’s T1 handset publicly accessible online. The vulnerability was discovered and escalated by an independent researcher, and publicised by YouTube creators Coffeezilla and penguinz0 on May 22–23, 2026. Reported exposed fields included full names, email and mailing addresses, phone numbers and order details; company spokespeople say there is no sign that payment card data, message content or core network systems were breached. The flaw — attributed to an unsecured third-party platform — was reportedly patched after the disclosures. The T1, a gold‑plated Android phone long promoted as “made in the USA” but later described as “assembled in the USA” or resembling the HTC U24 Pro, began shipping to a small number of reviewers this week after months of delay. The incident has also highlighted inconsistencies in the device’s marketing (a flag graphic with 11 stripes) and raised questions about the true scale of pre-orders, with some leaked records suggesting far fewer paid deposits than public estimates.

The U.S. Federal Bureau of Investigation this week issued a public warning about Kali365, a rapidly growing phishing-as-a-service platform that harvests Microsoft 365 OAuth access and refresh tokens to bypass multi-factor authentication and gain persistent access to Outlook, Teams, OneDrive and other services. First observed in April 2026 and proliferating on Telegram, Kali365 uses device-code phishing: victims are lured to paste a code into a legitimate Microsoft verification page, unintentionally authorising a malicious application. Security firms including Proofpoint and Arctic Wolf report the toolkit offers AI-generated lures, campaign templates, tracking dashboards and token storage; affiliates can purchase access (reported pricing about $250/month or $2,000/year). Researchers have seen multiple near-identical device-code phishing platforms emerge since February 2026. Stolen tokens can be shared among criminals and enable business email compromise, data theft, fraud, extortion and ransomware deployment. The FBI and CISA recommend limiting or disabling device-code flows, applying strict conditional access and monitoring token use while preserving emergency access processes to avoid lockouts.