16 May 2026 • 6 min read
ZYMP IT Security — 16 May 2026
Foxconn Confirms Cyberattack After Nitrogen Ransomware Gang Claims Major Data Theft
USA
Foxconn, a critical supplier for major hardware companies including Apple, Google, Intel, Dell, and Nvidia, has confirmed a cyberattack affecting its North American operations. The Nitrogen ransomware gang listed the electronics manufacturer on its dark web leak site, claiming to have stolen approximately 8 terabytes of sensitive data — more than 11 million files. The group alleges the haul includes confidential instructions, project specifications, and customer data from Foxconn’s major technology clients.
Foxconn has been a serial target of ransomware groups over the years. The company faced incidents at North American plants in 2020 (DoppelPaymer), 2022 (LockBit 2.0), and 2025 at its FIT subsidiary. Nitrogen, believed to be an offshoot of leaked Russia-based Conti 2 ransomware code, emerged in 2023 and typically deploys both data extortion and traditional ransomware encryption tactics. The breach raises significant concerns about supply chain security, particularly given Foxconn’s central role in manufacturing for many of the world’s largest technology companies.
Palo Alto Networks Zero-Day Vulnerability Exploited by Suspected State-Sponsored Threat Actors
USA
A critical remote code execution vulnerability in Palo Alto Networks firewalls, tracked as CVE-2026-0300, has been actively exploited for nearly a month by suspected state-sponsored threat actors. The buffer overflow vulnerability exists in the User-ID Authentication Portal (Captive Portal) service of PAN-OS software and allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series firewalls. Palo Alto Networks confirmed exploitation in the wild at disclosure and has begun shipping fixes on a staggered release schedule.
The vulnerability has a CVSS score of 9.3, indicating critical severity. CISA has advised organizations to disable the User-ID Authentication Portal if not required. This incident highlights the ongoing risk posed by zero-day vulnerabilities in perimeter security devices, particularly when they are targeted by sophisticated state-sponsored groups with the resources to develop exploits faster than vendors can patch them.
PraisonAI Authentication Bypass Vulnerability Targeted Within Hours of Disclosure
USA
A newly disclosed authentication bypass flaw in PraisonAI, tracked as CVE-2026-44338 (CVSS score 7.3), drew near-instant exploitation attempts following its disclosure on May 11. The vulnerability affects versions 2.5.6 to 4.6.34 of the multi-agent teams system and stems from a legacy Flask API server that ships with authentication disabled by default. This anti-pattern exposes sensitive endpoints to unauthenticated access, potentially allowing attackers to invoke protected functionality without tokens.
Researchers observed exploitation checks beginning within 3 hours and 44 minutes of disclosure, demonstrating the speed at which threat actors now scan for newly disclosed vulnerabilities. The incident underscores broader concerns about default-insecure configurations in development-grade API servers and the shrinking window between vulnerability disclosure and active exploitation. Snyk reported that even the May 1, 2026 PyPI release still contained the unauthenticated server logic.
RubyGems Temporarily Suspends Registrations After Hundreds of Malicious Packages Uploaded
GLOBAL
On May 11, 2026, Mend Defender flagged more than 120 malicious packages newly published to RubyGems, the standard package manager for the Ruby ecosystem. Within 24 hours, that initial cluster expanded dramatically, with tens of thousands of packages pushed by thousands of attacker-controlled accounts. The attack forced RubyGems to suspend new account registrations and remove more than 500 malicious packages from the registry.
Analysis suggests the target may have been RubyGems itself rather than users, representing an attempt to overwhelm and possibly destabilize the package ecosystem infrastructure. RubyGems confirmed on May 13 that the bot accounts responsible had been blocked and removed, and all malicious packages had been “yanked” from the registry. The incident highlights the broader supply chain risks inherent to open-source package managers across all programming languages, not just Ruby.
OpenAI Launches Daybreak Cyber Platform to Compete with Anthropic’s Mythos
USA
OpenAI has unveiled Daybreak, a multi-tiered cybersecurity platform integrating GPT-5.5 and Codex designed to rival Anthropic’s Mythos in detecting and patching high-severity vulnerabilities. The initiative combines frontier AI models with AI coding assistants to help organizations find and fix security flaws more rapidly. Daybreak positions itself as a developer-integrated defense platform with a broader partner ecosystem, in contrast to Anthropic Mythos’s focus on autonomous zero-day discovery.
The announcement signals intensifying competition in AI-powered cybersecurity, as both companies seek to leverage large language models to automate vulnerability assessment and remediation. Anthropic’s Mythos Preview previously helped Mozilla identify and patch 271 vulnerabilities in Firefox. Daybreak’s broader partner ecosystem approach aims to integrate vulnerability detection more tightly into existing development workflows, potentially reducing the blast radius of discovered vulnerabilities.
ZY Media Productions
IT • Music • Technology