Cyber Threat Landscape: Key Incidents and Vulnerabilities from Early May

This report covers the most notable cybersecurity events discovered during the first week of May, including major breaches, AI-related threats, and critical vulnerabilities. Each incident highlights the evolving tactics of threat actors and the importance of proactive defense.

Top Attacks and Breaches

Medtronic Data Breach Exposes Millions of Records

Global medical device manufacturer Medtronic disclosed a cyberattack targeting its corporate IT systems. An unauthorized party accessed data, though the company stated that medical products, operations, and financial systems were not affected. Threat group ShinyHunters claimed responsibility, asserting that 9 million records were stolen. Medtronic is currently evaluating the scope of the exposed information.

Cyber Threat Landscape: Key Incidents and Vulnerabilities from Early May — Source: research.checkpoint.com

Vimeo Breach via Analytics Vendor Anodot

Video hosting platform Vimeo confirmed a data breach resulting from a compromise at analytics partner Anodot. Exposed data includes internal operational details, video titles and metadata, and some customer email addresses. However, passwords, payment information, and video content remained secure. The incident underscores the risks of third-party integrations.

Phishing Campaign Exploits Robinhood Account Creation

Threat actors abused the account creation process on trading platform Robinhood to launch a sophisticated phishing campaign. Emails sent from Robinhood’s official mailing system contained links to fraudulent sites and bypassed security filters. Robinhood confirmed that no accounts or funds were compromised and has since removed the vulnerable “Device” field used in the exploit.

Trellix Source Code Repository Breach

Endpoint security and XDR vendor Trellix experienced a breach in its source code repository after attackers accessed part of its internal code. The company engaged forensic experts and law enforcement, stating that there is no evidence of product tampering, pipeline compromise, or active exploitation. The incident highlights the importance of securing development environments.

AI-Related Threats

Critical RCE Flaw in Cursor AI Coding Environment

Researchers identified CVE-2026-26268, a vulnerability in Cursor’s coding environment that allows remote code execution when its AI agent interacts with a cloned malicious repository. The attack leverages Git hooks and bare repositories to execute attacker scripts, potentially exposing source code, tokens, and internal tools. Users are urged to update their Cursor installations immediately.

Bluekit Phishing-as-a-Service Platform with AI Assistant

A newly uncovered phishing-as-a-service platform named Bluekit bundles over 40 templates and an AI Assistant powered by GPT-4.1, Claude, Gemini, Llama, and DeepSeek. This toolkit centralizes domain setup, creates realistic login clones, applies anti-analysis filters, enables real-time session monitoring, and exfiltrates data via Telegram. The use of AI lowers the barrier for attackers.

AI-Enabled Supply Chain Attack Targets Crypto Trading Project

Researchers demonstrated a novel AI-enabled supply chain attack where Anthropic’s Claude Opus co-authored a code commit that introduced the PromptMink malware into an open-source autonomous crypto trading project. The hidden dependency siphoned credentials, planted persistent SSH access, and stole source code, enabling wallet takeover. This case illustrates the risks of AI-generated code without rigorous review.

Vulnerabilities and Patches

Microsoft Entra ID Privilege Escalation Flaw

Microsoft patched a privilege escalation vulnerability in Microsoft Entra ID that allowed an Agent ID Administrator role for AI agents to take over any service account. Researchers published a proof-of-concept showing that attackers could add credentials and impersonate privileged identities. Organizations using Entra ID for AI agent management should apply the update promptly.

Critical cPanel Authentication Bypass Under Active Exploitation

cPanel addressed CVE-2026-41940, a critical authentication bypass affecting cPanel and WHM. This flaw is being actively exploited in the wild as a zero-day, granting full administrative control without credentials. System administrators must apply the available patch immediately to prevent compromise.

For more details, download the full Threat Intelligence Bulletin covering these and other discoveries from the week of 4th May.

Tags: