9 Critical Cyber Threats from the Week of May 18th

Welcome to our weekly threat intelligence roundup. This May 18th edition highlights nine significant cybersecurity events that demand your attention. From major corporate breaches to novel AI-driven attacks and unpatched Windows flaws, staying informed is your first line of defense. Dive into the details below to understand each threat and protect your organization.

1. Vodafone Falls Prey to Lapsus$ Source Code Theft

British telecom giant Vodafone acknowledged a source code leak after a compromised third-party development tool gave the Lapsus$ extortion group limited access to its GitHub repositories. The company reassured customers that neither personal data nor core network systems were impacted. However, the incident underscores the growing risk of supply chain attacks through trusted software vendors. Lapsus$ is known for targeting tech firms, and this breach highlights the need for rigorous third-party security assessments and strict access controls.

9 Critical Cyber Threats from the Week of May 18th — Source: research.checkpoint.com

2. THORChain Loses $10.7 Million in Vault Breach

Switzerland-based decentralized cryptocurrency exchange THORChain suffered a security incident resulting in the theft of approximately $10.7 million. The attack compromised one of its six vaults, prompting an immediate halt to trading. The company clarified that only protocol-owned assets across multiple blockchains were stolen, while user funds remained safe. The breach serves as a stark reminder that even decentralized finance platforms with multi-vault architectures can be vulnerable to targeted exploits, reinforcing the importance of robust key management and real-time monitoring.

3. West Pharmaceutical Services Hit by Ransomware

West Pharmaceutical Services, a key supplier of drug delivery components, reported a ransomware attack that encrypted systems and exfiltrated data. Although no ransomware group has claimed responsibility, the incident disrupted shipping, manufacturing, and shared services. The company is working to restore operations and has notified law enforcement. This attack on a healthcare supply chain partner illustrates the cascading effects of ransomware on critical medical infrastructure and the need for enhanced incident response planning across the pharmaceutical sector.

4. Foxconn Confirms Nitrogen Ransomware Attack

Global electronics manufacturer Foxconn confirmed a cyberattack on its North American operations, with the Nitrogen ransomware group claiming to have stolen 8 TB of data. The company reported temporary disruptions at some factories but stated that affected facilities were quickly returning to normal production. No further details on the stolen data have been disclosed. This incident highlights the persistent threat posed by ransomware groups targeting manufacturing giants and the importance of maintaining offline backups and network segmentation.

5. Claw Chain Vulnerabilities Expose AI Platforms

Researchers disclosed four vulnerabilities named “Claw Chain” in the OpenClaw autonomous AI agent platform. These flaws, including the critical CVE-2026-44112 (CVSS 9.6), allow attackers to bypass sandbox controls, access restricted files, leak secrets, and escalate to owner-level privileges. The discoverers stressed that patching these issues is urgent, as AI agents become increasingly integrated into enterprise workflows. Organizations using OpenClaw must immediately apply available patches and reassess their AI security postures.

6. AI-Assisted macOS Kernel Exploit Bypasses Apple’s Defenses

Security researchers developed a sophisticated macOS kernel exploit assisted by Anthropic’s Mythos Preview AI model. The exploit successfully bypassed Apple’s Memory Integrity Enforcement on M5 chips and achieved full system control on macOS 26.4.1. Apple was notified privately before public disclosure, and a patch is expected. This case demonstrates how AI can accelerate bug discovery, raising concerns about both offensive and defensive uses of AI in cybersecurity. Teams should prepare for more AI-generated exploits in the future.

7. Vercel’s AI Website Generator Abused for Phishing

Threat actors are exploiting Vercel’s AI-powered website generator, v0.dev, to mass-produce convincing phishing pages mimicking brands like Microsoft and Spotify. The campaigns use Telegram bots to capture credentials and payment details in real time. This abuse of legitimate AI services for phishing shows the evolving sophistication of social engineering attacks. Organizations should educate users about recognizing AI-generated phishing pages and implement multi-factor authentication to mitigate credential theft.

8. Hugging Face Repository Hides Infostealer Malware

A popular repository on Hugging Face, posing as OpenAI’s privacy filter, was found to contain Windows-targeting malware after accumulating over 200,000 downloads. The payload was an infostealer that harvested browser passwords, cookies, SSH keys, VPN configurations, and cryptocurrency wallets before exfiltrating the data. This incident highlights the risks of relying on open-source AI models without thorough security vetting. Developers should only use trusted repositories and implement checks for hidden malicious code.

9. Two Windows Zero-Days Remain Unpatched: YellowKey and GreenPlasma

Two zero-day vulnerabilities affecting Windows 11 and recent Windows Server versions were publicly disclosed without patches. YellowKey enables BitLocker bypass via the Windows Recovery Environment with physical access, while GreenPlasma abuses the CTFMON framework to escalate privileges to SYSTEM. Public proof-of-concept code is available, increasing the exploitation risk. Until Microsoft releases fixes, administrators should restrict physical access to devices and monitor for unusual privilege escalation attempts as temporary mitigations.

Staying ahead of these threats requires continuous vigilance and proactive defense. We recommend reviewing your security controls, applying patches promptly, and training staff to recognize sophisticated attacks. For deeper analysis, download our full Threat Intelligence Bulletin.